csaf_opensuse - opensuse-su-2025-20026-1

opensuse-su-2025-20026-1

Vulnerability from csaf_opensuse

Published

2025-11-07 12:08

Modified

2025-11-07 12:08

Summary

Security update for MozillaThunderbird

Notes

Title of the patch

Security update for MozillaThunderbird

Description of the patch

This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 140.4: * changed: Account Hub is now disabled by default for second email account * changed: Flatpak runtime has been updated to Freedesktop SDK 24.08 * fixed: Users could not read mail signed with OpenPGP v6 and PQC keys * fixed: Image preview in Insert Image dialog failed with CSP error for web resources * fixed: Emptying trash on exit did not work with some providers * fixed: Thunderbird could crash when applying filters * fixed: Users were unable to override expired mail server certificate * fixed: Opening Website header link in RSS feed incorrectly re-encoded URL parameters * fixed: Security fixes MFSA 2025-85 (bsc#1251263): * CVE-2025-11708 Use-after-free in MediaTrackGraphImpl::GetInstance() * CVE-2025-11709 Out of bounds read/write in a privileged process triggered by WebGL textures * CVE-2025-11710 Cross-process information leaked due to malicious IPC messages * CVE-2025-11711 Some non-writable Object properties could be modified * CVE-2025-11712 An OBJECT tag type attribute overrode browser behavior on web resources without a content-type * CVE-2025-11713 Potential user-assisted code execution in “Copy as cURL” command * CVE-2025-11714 Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144 * CVE-2025-11715 Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Patchnames

openSUSE-Leap-16.0-packagehub-15

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for MozillaThunderbird",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for MozillaThunderbird fixes the following issues:\n\nMozilla Thunderbird 140.4:\n\n  * changed: Account Hub is now disabled by default for second\n    email account\n  * changed: Flatpak runtime has been updated to Freedesktop SDK\n    24.08\n  * fixed: Users could not read mail signed with OpenPGP v6 and\n    PQC keys\n  * fixed: Image preview in Insert Image dialog failed with CSP\n    error for web resources\n  * fixed: Emptying trash on exit did not work with some\n    providers\n  * fixed: Thunderbird could crash when applying filters\n  * fixed: Users were unable to override expired mail server\n    certificate\n  * fixed: Opening Website header link in RSS feed incorrectly\n    re-encoded URL parameters\n  * fixed: Security fixes\n\nMFSA 2025-85 (bsc#1251263):\n\n  * CVE-2025-11708\n    Use-after-free in MediaTrackGraphImpl::GetInstance()\n  * CVE-2025-11709\n    Out of bounds read/write in a privileged process triggered by\n    WebGL textures\n  * CVE-2025-11710\n    Cross-process information leaked due to malicious IPC\n    messages\n  * CVE-2025-11711\n    Some non-writable Object properties could be modified\n  * CVE-2025-11712\n    An OBJECT tag type attribute overrode browser behavior on web\n    resources without a content-type\n  * CVE-2025-11713\n    Potential user-assisted code execution in \u201cCopy as cURL\u201d\n    command\n  * CVE-2025-11714\n    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR\n    140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144\n  * CVE-2025-11715\n    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird\n    ESR 140.4, Firefox 144 and Thunderbird 144\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-packagehub-15",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025-20026-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1247774",
        "url": "https://bugzilla.suse.com/1247774"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251263",
        "url": "https://bugzilla.suse.com/1251263"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11708 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11708/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11709 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11709/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11710 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11710/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11711 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11711/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11712 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11712/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11713 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11713/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11714 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11714/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-11715 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-11715/"
      }
    ],
    "title": "Security update for MozillaThunderbird",
    "tracking": {
      "current_release_date": "2025-11-07T12:08:41Z",
      "generator": {
        "date": "2025-11-07T12:08:41Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025-20026-1",
      "initial_release_date": "2025-11-07T12:08:41Z",
      "revision_history": [
        {
          "date": "2025-11-07T12:08:41Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
                "product": {
                  "name": "MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
                  "product_id": "MozillaThunderbird-140.4.0-bp160.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
                "product": {
                  "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
                  "product_id": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
                "product": {
                  "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
                  "product_id": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
                "product": {
                  "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
                  "product_id": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
                "product": {
                  "name": "MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
                  "product_id": "MozillaThunderbird-140.4.0-bp160.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
                "product": {
                  "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
                  "product_id": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
                "product": {
                  "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
                  "product_id": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
                "product": {
                  "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
                  "product_id": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaThunderbird-140.4.0-bp160.1.1.s390x",
                "product": {
                  "name": "MozillaThunderbird-140.4.0-bp160.1.1.s390x",
                  "product_id": "MozillaThunderbird-140.4.0-bp160.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
                "product": {
                  "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
                  "product_id": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
                "product": {
                  "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
                  "product_id": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
                "product": {
                  "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
                  "product_id": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
                  "product_id": "MozillaThunderbird-140.4.0-bp160.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
                  "product_id": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
                  "product_id": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64",
                "product": {
                  "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64",
                  "product_id": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-140.4.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64"
        },
        "product_reference": "MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-140.4.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le"
        },
        "product_reference": "MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-140.4.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x"
        },
        "product_reference": "MozillaThunderbird-140.4.0-bp160.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-140.4.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64"
        },
        "product_reference": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le"
        },
        "product_reference": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x"
        },
        "product_reference": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64"
        },
        "product_reference": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le"
        },
        "product_reference": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x"
        },
        "product_reference": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64"
        },
        "product_reference": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le"
        },
        "product_reference": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x"
        },
        "product_reference": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        },
        "product_reference": "MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11708",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11708"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11708",
          "url": "https://www.suse.com/security/cve/CVE-2025-11708"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11708",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11708"
    },
    {
      "cve": "CVE-2025-11709",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11709"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11709",
          "url": "https://www.suse.com/security/cve/CVE-2025-11709"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11709",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11709"
    },
    {
      "cve": "CVE-2025-11710",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11710"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11710",
          "url": "https://www.suse.com/security/cve/CVE-2025-11710"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11710",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11710"
    },
    {
      "cve": "CVE-2025-11711",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11711"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11711",
          "url": "https://www.suse.com/security/cve/CVE-2025-11711"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11711",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11711"
    },
    {
      "cve": "CVE-2025-11712",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11712"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11712",
          "url": "https://www.suse.com/security/cve/CVE-2025-11712"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11712",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11712"
    },
    {
      "cve": "CVE-2025-11713",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11713"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insufficient escaping in the \"Copy as cURL\" feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11713",
          "url": "https://www.suse.com/security/cve/CVE-2025-11713"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11713",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11713"
    },
    {
      "cve": "CVE-2025-11714",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11714"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11714",
          "url": "https://www.suse.com/security/cve/CVE-2025-11714"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11714",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11714"
    },
    {
      "cve": "CVE-2025-11715",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-11715"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
          "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-11715",
          "url": "https://www.suse.com/security/cve/CVE-2025-11715"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251263 for CVE-2025-11715",
          "url": "https://bugzilla.suse.com/1251263"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.4.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.s390x",
            "openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.4.0-bp160.1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-07T12:08:41Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2025-11715"
    }
  ]
}

CVE-2025-11712 (GCVE-0-2025-11712)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:31

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1979536
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11712",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T13:21:51.563465Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-116",
                "description": "CWE-116 Improper Encoding or Escaping of Output",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T13:28:24.592Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:51.952Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Masato Kinugawa"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:32.665Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979536"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "An OBJECT tag type attribute overrode browser behavior on web resources without a content-type"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11712",
    "datePublished": "2025-10-14T12:27:35.544Z",
    "dateReserved": "2025-10-13T19:50:07.919Z",
    "dateUpdated": "2025-11-03T17:31:51.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11715 (GCVE-0-2025-11715)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:32

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838%2C1987624%2C1988244%2C1988912%2C1989734%2C1990085%2C1991899
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11715",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-119",
                "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T03:55:16.092Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:03.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Mozilla Fuzzing Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:37.203Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144",
          "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838%2C1987624%2C1988244%2C1988912%2C1989734%2C1990085%2C1991899"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11715",
    "datePublished": "2025-10-14T12:27:36.209Z",
    "dateReserved": "2025-10-13T19:50:13.277Z",
    "dateUpdated": "2025-11-03T17:32:03.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11714 (GCVE-0-2025-11714)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:32

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-82/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 115.29
Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11714",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-119",
                "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T03:55:18.468Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:01.391Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.29",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The Mozilla Fuzzing Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:28.011Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144",
          "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-82/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11714",
    "datePublished": "2025-10-14T12:27:34.820Z",
    "dateReserved": "2025-10-13T19:50:12.815Z",
    "dateUpdated": "2025-11-03T17:32:01.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11711 (GCVE-0-2025-11711)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:31

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1989978
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-82/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 115.29
Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11711",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T13:22:20.331458Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-591",
                "description": "CWE-591 Sensitive Data Storage in Improperly Locked Memory",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T13:29:42.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:50.030Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.29",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "EntryHi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:25.495Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989978"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-82/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Some non-writable Object properties could be modified"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11711",
    "datePublished": "2025-10-14T12:27:34.470Z",
    "dateReserved": "2025-10-13T19:50:05.343Z",
    "dateUpdated": "2025-11-03T17:31:50.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11708 (GCVE-0-2025-11708)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:31

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1988931
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T13:22:05.357469Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T13:29:06.641Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:44.090Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Irvan Kurniawan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:30.131Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988931"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Use-after-free in MediaTrackGraphImpl::GetInstance()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11708",
    "datePublished": "2025-10-14T12:27:35.228Z",
    "dateReserved": "2025-10-13T19:49:57.420Z",
    "dateUpdated": "2025-11-03T17:31:44.090Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11713 (GCVE-0-2025-11713)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-14 15:23

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1986142
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11713",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-20T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-116",
                "description": "CWE-116 Improper Encoding or Escaping of Output",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T03:55:17.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Hafiizh \u0026 kang ali"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Insufficient escaping in the \u201cCopy as cURL\u201d feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "Insufficient escaping in the \u201cCopy as cURL\u201d feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-14T15:23:55.588Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986142"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Potential user-assisted code execution in \u201cCopy as cURL\u201d command"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11713",
    "datePublished": "2025-10-14T12:27:35.913Z",
    "dateReserved": "2025-10-13T19:50:10.388Z",
    "dateUpdated": "2025-11-14T15:23:55.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11709 (GCVE-0-2025-11709)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:31

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1989127
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-82/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 115.29
Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11709",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T13:22:47.051044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T13:31:10.048Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:46.165Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.29",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Oskar L"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:21.135Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989127"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-82/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Out of bounds read/write in a privileged process triggered by WebGL textures"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11709",
    "datePublished": "2025-10-14T12:27:33.692Z",
    "dateReserved": "2025-10-13T19:49:59.923Z",
    "dateUpdated": "2025-11-03T17:31:46.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11710 (GCVE-0-2025-11710)

Vulnerability from cvelistv5

Published

2025-10-14 12:27

Modified

2025-11-03 17:31

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1989899
	https://www.mozilla.org/security/advisories/mfsa2025-81/
	https://www.mozilla.org/security/advisories/mfsa2025-82/
	https://www.mozilla.org/security/advisories/mfsa2025-83/
	https://www.mozilla.org/security/advisories/mfsa2025-84/
	https://www.mozilla.org/security/advisories/mfsa2025-85/

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Version: unspecified < 144

Mozilla	Firefox ESR	Version: unspecified < 115.29
Mozilla	Firefox ESR	Version: unspecified < 140.4
Mozilla	Thunderbird	Version: unspecified < 144
Mozilla	Thunderbird	Version: unspecified < 140.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-11710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T13:22:34.719843Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-200",
                "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-15T13:30:28.580Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:48.074Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.29",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "144",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Oskar L"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
            }
          ],
          "value": "A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox \u003c 144, Firefox ESR \u003c 115.29, Firefox ESR \u003c 140.4, Thunderbird \u003c 144, and Thunderbird \u003c 140.4."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-30T16:11:23.197Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989899"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-82/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-83/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-85/"
        }
      ],
      "title": "Cross-process information leaked due to malicious IPC messages"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-11710",
    "datePublished": "2025-10-14T12:27:34.065Z",
    "dateReserved": "2025-10-13T19:50:03.178Z",
    "dateUpdated": "2025-11-03T17:31:48.074Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025-20026-1

Vulnerability from csaf_opensuse

CVE-2025-11712 (GCVE-0-2025-11712)

Vulnerability from cvelistv5

CVE-2025-11715 (GCVE-0-2025-11715)

Vulnerability from cvelistv5

CVE-2025-11714 (GCVE-0-2025-11714)

Vulnerability from cvelistv5

CVE-2025-11711 (GCVE-0-2025-11711)

Vulnerability from cvelistv5

CVE-2025-11708 (GCVE-0-2025-11708)

Vulnerability from cvelistv5

CVE-2025-11713 (GCVE-0-2025-11713)

Vulnerability from cvelistv5

CVE-2025-11709 (GCVE-0-2025-11709)

Vulnerability from cvelistv5

CVE-2025-11710 (GCVE-0-2025-11710)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature