CVE-2024-11696
MEDIUMMozilla Firefox and Thunderbird - Signature Validation Bypass via Exception Handling
Title source: llmDescription
The application failed to account for exceptions thrown by the `loadManifestFromFile` method during add-on signature verification. This flaw, triggered by an invalid or unsupported extension manifest, could have caused runtime errors that disrupted the signature validation process. As a result, the enforcement of signature validation for unrelated add-ons may have been bypassed. Signature validation in this context is used to ensure that third-party applications on the user's computer have not tampered with the user's extensions, limiting the impact of this issue. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
References (6)
Scores
CVSS v3
5.4
EPSS
0.0006
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-347
Status
published
Products (3)
mozilla/firefox
< 128.5.0
mozilla/firefox
< 133.0
mozilla/thunderbird
< 128.5.0
Published
Nov 26, 2024
Tracked Since
Feb 18, 2026