Risk | High |
Patch available | YES |
Number of vulnerabilities | 33 |
CVE-ID | CVE-2021-29981 CVE-2021-29982 CVE-2021-29987 CVE-2021-29991 CVE-2021-32810 CVE-2021-38492 CVE-2021-38493 CVE-2021-38495 CVE-2021-38496 CVE-2021-38497 CVE-2021-38498 CVE-2021-38500 CVE-2021-38501 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510 CVE-2021-40529 CVE-2021-43528 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 |
CWE-ID | CWE-20 CWE-843 CWE-357 CWE-113 CWE-362 CWE-119 CWE-416 CWE-346 CWE-319 CWE-254 CWE-200 CWE-1021 CWE-327 CWE-704 CWE-451 CWE-835 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
SUSE Linux Enterprise Workstation Extension Operating systems & Components / Operating system MozillaThunderbird-translations-other Operating systems & Components / Operating system package or component MozillaThunderbird-translations-common Operating systems & Components / Operating system package or component MozillaThunderbird-debugsource Operating systems & Components / Operating system package or component MozillaThunderbird-debuginfo Operating systems & Components / Operating system package or component MozillaThunderbird Operating systems & Components / Operating system package or component |
Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 33 vulnerabilities.
EUVDB-ID: #VU55679
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29981
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when lowering/register allocation during live range splitting. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger register confusion failures in JITted code and execute arbitrary code on the system.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55687
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29982
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect JIT optimization and a type confusion error. A remote attacker can trick the victim to open a specially crafted web page and read a single bit of memory.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55686
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29987
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the way Firefox displays permission panels. After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to.
Note, the vulnerability affects Linux installations only.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55935
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29991
CWE-ID:
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to the affected software incorrectly accepts a newline in a HTTP/3 header, interpretting it as two separate headers. A remote attacker can perform a header splitting attack against servers using HTTP/3.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU55598
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-32810
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a race condition in the "Stealer::steal", "Stealer::steal_batch" and "Stealer::steal_batch_and_pop" functions. A remote attacker can exploit the race and gain unauthorized access to sensitive information and execute arbitrary code on the system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56373
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38492
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when delegating navigations to the operating system. Firefox accept the mk
scheme, which allows a remote attacker to launch pages and execute scripts in Internet Explorer in unprivileged mode.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56374
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38493
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56376
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38495
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57064
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38496
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error during operations on MessageTasks. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57066
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38497
CWE-ID:
CWE-346 - Origin Validation Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, which can cause a plain-text validation message to overlaid on another origin through the use of reportValidity()
and window.open()
. A remote attacker can perform a spoofing attack.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57067
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38498
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the nsLanguageAtomService object. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57065
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38500
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger a memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57068
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38501
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57241
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38502
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software ignores the configuration to require STARTTLS security for an SMTP connection. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57876
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38503
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the iframe sandbox rules were not correctly applied to XSLT stylesheets. A remote attacker can load use an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57878
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38504
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when interacting with an HTML input element's file picker dialog with webkitdirectory
set. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57879
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38505
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to absence of support for a new feature in Windows 10 known as Cloud Clipboard that, if enabled, will record data copied to the clipboard to the
cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats, which were not implemented in previous versions of Firefox and Firefox ESR.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57880
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38506
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to Firefox could have entered fullscreen mode without notification or warning to the user. A remote attacker can perform spoofing attacks on the browser UI.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57881
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38507
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining
the visual properties of an HTTP connection, including being
same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser from port 443 to port 8443,
causing the browser to treat the content of port 8443 as same-origin
with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57882
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38508
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Firefox displays the form validity message in the correct location at the same time as a permission prompt (such as for geolocation). The validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57883
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38509
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of an unusual sequence of attacker-controlled events. A remote attacker can display a Javascript alert()
dialog with arbitrary (although unstyled) contents over top of arbitrary webpage of the attacker's choosing.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57884
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38510
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to silently download dangerous files on the system.
The vulnerability exists due to the executable file warning is not presented to the user when downloading .inetloc files. A remote attacker can silently download a potentially dangerous file to the user's system.
The vulnerability affects macOS operating system only.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU66482
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-40529
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect ElGamal implementation in Botan, which allows plaintext recovery. A remote attacker can perform a cross-configuration attack against OpenPGP and recover encrypted data.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58618
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43528
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58585
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43536
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to URL leakage when executing asynchronous functions. A remote attacker can trick the victim to open a specially crafted web page and reveal the URL of the page that is being visited afterwards.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58586
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43537
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a type conversion error when processing sizes from 64bit to 32bit integers when using structured clone. A remote attacker can trick the victim to visit a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the system.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58607
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43538
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a race in notification code. A remote attacker can hide the notification for pages that had received full screen and pointer lock access. Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58608
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43539
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in GC rooting when calling wasm instance methods. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58611
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43541
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling spaces in URLS with external protocol handlers. A remote attacker can trick the victim to click on a specially crafted link and pass unescaped input to a third-party application via URI handler.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58612
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43542
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way Firefox handles XMLHttpRequest requests. A remote attacker can initiate a XMLHttpRequest and identify installed applications by probing error messages for loading external protocols.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58613
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43543
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling CSP policies. Documents loaded with the CSP sandbox directive can escape the sandbox's script restriction by embedding additional content.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58615
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43545
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when using Location API. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58616
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43546
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data, when native cursor is zoomed. A remote attacker can perform cursor spoofing attack.
Update the affected package MozillaThunderbird to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Workstation Extension: 15-SP2 - 15-SP3
MozillaThunderbird-translations-other: before 91.4.0-8.45.2
MozillaThunderbird-translations-common: before 91.4.0-8.45.2
MozillaThunderbird-debugsource: before 91.4.0-8.45.2
MozillaThunderbird-debuginfo: before 91.4.0-8.45.2
MozillaThunderbird: before 91.4.0-8.45.2
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20214150-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.