Fedora 41 Flatpaks update for icecat-flatpak
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-11693 CVE-2024-11697 CVE-2024-11692 |
| CWE-ID | CWE-357 CWE-19 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system icecat-flatpak Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU100954
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-11693
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a file warning is not displayed when downloading .library-ms files. A remote attacker can trick the victim into downloading and execution malicious files on the system.
Note, the vulnerability affects only installations on Windows operating system.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
icecat-flatpak: before 115.18.0-2
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:icecat-flatpak:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2024-5ad8ccec67
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Data Handling
EUVDB-ID: #VU100957
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-11697
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper keypress handling in executable file confirmation dialog. A remote attacker can trick the victim into executing a malicious file.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
icecat-flatpak: before 115.18.0-2
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:icecat-flatpak:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2024-5ad8ccec67
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU100953
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-11692
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, which leads to a select dropdown be shown over another tab. A remote attacker can perform spoofing attack against arbitrary website.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
icecat-flatpak: before 115.18.0-2
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:icecat-flatpak:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2024-5ad8ccec67
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
