Cross-site Scripting (XSS) in thunderbird | CVE-2024-11694

Threat Intelligence

0.15% (36^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-CENTOS10-THUNDERBIRD-10299727
published4 Jun 2025
disclosed26 Nov 2024

Report a new vulnerability Found a mistake?

Introduced: 26 Nov 2024

CVE-2024-11694 (opens in a new tab) CWE-79 (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream thunderbird package and not the thunderbird package as distributed by Centos.

Enhanced Tracking Protection's Strict mode may have inadvertently allowed a CSP frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. This issue could have exposed users to malicious frames masquerading as legitimate content. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Firefox ESR < 115.18, Thunderbird < 133, Thunderbird < 128.5, and Thunderbird < 115.18.

Cross-site Scripting (XSS) The advisory has been revoked - it doesn't affect any version of package thunderbird (opens in a new tab)