CVE-2024-11697 – This vulnerability allows attackers to bypass t... (How to Fix)

Q: How do I fix CVE-2024-11697?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

Q: What is the severity of CVE-2024-11697?

CVE-2024-11697 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to bypass the 'Open Executable File?' confirmation dialog in Firefox and Thunderbird by tricking users with keypress events. Successful exploitation could lead to malicious code execution on the user's system. It affects Firefox versions below 133, Firefox ESR below 128.5, Thunderbird below 133, and Thunderbird ESR below 128.5.

📋 TL;DR

This vulnerability allows attackers to bypass the 'Open Executable File?' confirmation dialog in Firefox and Thunderbird by tricking users with keypress events. Successful exploitation could lead to malicious code execution on the user's system. It affects Firefox versions below 133, Firefox ESR below 128.5, Thunderbird below 133, and Thunderbird ESR below 128.5.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird
Mozilla Thunderbird ESR

Versions: Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, Thunderbird ESR < 128.5

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Requires user interaction with malicious content.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious executable file execution leading to malware installation, credential theft, or system disruption.

🟢

If Mitigated

No impact if users don't interact with malicious content or if security controls block the attack vector.

🌐 Internet-Facing: HIGH - Web browsers are directly exposed to internet content and user interaction is required for exploitation.

🏢 Internal Only: MEDIUM - Risk exists if users access malicious internal web content or emails, but attack surface is smaller than internet-facing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (clicking/tabbing) on malicious web content or email. No authentication needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 133+, Firefox ESR 128.5+, Thunderbird 133+, Thunderbird ESR 128.5+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-63/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable automatic file opening

all

Configure Firefox/Thunderbird to always ask before opening executable files

about:config → browser.download.open_pdf_attachments_inline = false
about:config → browser.download.forbid_open_with = true

🧯 If You Can't Patch

Restrict user access to untrusted websites and email attachments
Implement application whitelisting to prevent unauthorized executable execution

🔍 How to Verify

Check if Vulnerable:

Check application version in Help → About Firefox/Thunderbird. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is Firefox 133+, Firefox ESR 128.5+, Thunderbird 133+, or Thunderbird ESR 128.5+.

📡 Detection & Monitoring

Log Indicators:

Unexpected executable file downloads
Process creation from browser/email client with suspicious parent-child relationships

Network Indicators:

Downloads of executable files from untrusted sources
Connections to known malicious domains after file execution

SIEM Query:

process where (parent.name contains "firefox" or parent.name contains "thunderbird") and (process.name ends with ".exe" or process.name ends with ".bat" or process.name ends with ".ps1")

📊 Metadata

CVE ID: CVE-2024-11697

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 26, 2024

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1842187 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-63/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-64/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-67/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-68/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00029.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11697, you might also want to check these: