Risk | High |
Patch available | YES |
Number of vulnerabilities | 17 |
CVE-ID | CVE-2024-0741 CVE-2024-0742 CVE-2024-0747 CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549 CVE-2024-1550 CVE-2024-1553 CVE-2024-0746 CVE-2024-1546 CVE-2024-1551 CVE-2024-1552 |
CWE-ID | CWE-787 CWE-254 CWE-264 CWE-357 CWE-119 CWE-451 CWE-617 CWE-125 CWE-20 CWE-399 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Ubuntu Operating systems & Components / Operating system thunderbird (Ubuntu package) Operating systems & Components / Operating system package or component |
Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
EUVDB-ID: #VU85707
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0741
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in ANGLE when processing untrusted input. A remote attacker can trick the victim to open a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3http://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85708
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0742
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to failure to update user input timestamp for certain browser prompts and dialogs. A remote attacker can perform clickjacking attack and trick the victim into providing unintended permissions to a malicious website.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85713
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0747
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in the way the Content Security Policy handles unsafe-inline directive. When a parent page loaded a child in an iframe with unsafe-inline, the parent Content Security Policy could have overridden the child Content Security Policy.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85715
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0749
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to application does not properly impose security restrictions. A phishing site could have repurposed an about: dialog to show phishing content with an incorrect origin in the address bar.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85716
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0750
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a clickjacking attack.
The vulnerability exists due to an error in popup notifications delay calculation. A remote attacker can perform a clickjacking attack and trick a user into granting permissions to a malicious web application.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85717
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0751
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A malicious devtools extension could have been used to escalate privileges.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85719
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0753
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling HSTS on a subdomain. In specific HSTS configurations an attacker could have bypassed HSTS.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85721
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0755
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86638
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1547
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can use a series of API calls and redirects to display an attacker-controlled alert dialog on another website (with the victim website's URL shown).
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86639
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1548
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can hide the fullscreen notification by using a dropdown select input element.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86640
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1549
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can use a malicious website to set a large custom cursor, portions of the which can overlap with the permission dialog, potentially resulting in user confusion and unexpected granted permissions.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86641
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1550
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can use a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86644
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1553
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU85712
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0746
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when listing pointers on Linux. A remote attacker can trick the victim to open the print preview dialog and crash the browser.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86637
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1546
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when storing and re-accessing data on a networking channel. A remote attacker can trick the victim to visit a specially crafted website, trigger an out-of-bounds read and execute arbitrary code on the target system.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86642
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1551
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when processing Set-Cookie response headers in multipart HTTP responses. A remote attacker who controls the Content-Type response header and part of the response body can inject Set-Cookie response headers that are honored by the browser.
MitigationUpdate the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU86643
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-1552
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper management of internal resources within the browser during code generation on 32-bit ARM devices. A remote attacker can trick the victim to visit a specially crafted website and bypass implemented security restrictions.
Update the affected package thunderbird to the latest version.
Vulnerable software versionsUbuntu: 20.04 - 23.10
thunderbird (Ubuntu package): before 1:115.8.1+build1-0ubuntu0.20.04.1
CPE2.3 External linkshttp://ubuntu.com/security/notices/USN-6669-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.