VulnerableCode Package Details - pkg:rpm/redhat/thunderbird@115.11.0-1?arch=el8_10

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:rpm/redhat/thunderbird@115.11.0-1?arch=el8_10

Essentials
History (6)

purl	pkg:rpm/redhat/thunderbird@115.11.0-1?arch=el8_10

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-11pv-s4za-tbch Aliases: CVE-2024-4768	A bug in popup notifications' interaction with WebAuthn made it easier for an attacker to trick a user into granting permissions.	There are no reported fixed by versions.
VCID-7zqn-1txc-r3d2 Aliases: CVE-2024-4770	When saving a page to PDF, certain font styles could have led to a potential use-after-free crash.	There are no reported fixed by versions.
VCID-89es-k3ja-1be1 Aliases: CVE-2024-4367 GHSA-wgrm-67xf-hhpq	PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF ### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. ### Patches The patch removes the use of `eval`: https://github.com/mozilla/pdf.js/pull/18015 ### Workarounds Set the option `isEvalSupported` to `false`. ### References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645	There are no reported fixed by versions.
VCID-b3zg-y242-xybq Aliases: CVE-2024-4767	If the browser.privatebrowsing.autostart preference is enabled, IndexedDB files were not properly deleted when the window was closed. This preference is disabled by default in Firefox.	There are no reported fixed by versions.
VCID-esw4-827s-u3f1 Aliases: CVE-2024-4769	When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin.	There are no reported fixed by versions.
VCID-yb18-qe5e-dbck Aliases: CVE-2024-4777	Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:47:43.111640+00:00	RedHat Importer	Affected by	VCID-yb18-qe5e-dbck	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4777.json	38.0.0
2026-04-01T13:47:42.439149+00:00	RedHat Importer	Affected by	VCID-7zqn-1txc-r3d2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4770.json	38.0.0
2026-04-01T13:47:41.740571+00:00	RedHat Importer	Affected by	VCID-esw4-827s-u3f1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4769.json	38.0.0
2026-04-01T13:47:41.024100+00:00	RedHat Importer	Affected by	VCID-11pv-s4za-tbch	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4768.json	38.0.0
2026-04-01T13:47:40.324166+00:00	RedHat Importer	Affected by	VCID-b3zg-y242-xybq	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4767.json	38.0.0
2026-04-01T13:47:39.682878+00:00	RedHat Importer	Affected by	VCID-89es-k3ja-1be1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-4367.json	38.0.0