Risk | High |
Patch available | YES |
Number of vulnerabilities | 10 |
CVE-ID | CVE-2024-7518 CVE-2024-7519 CVE-2024-7520 CVE-2024-7521 CVE-2024-7522 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7528 CVE-2024-7529 |
CWE-ID | CWE-450 CWE-125 CWE-843 CWE-416 CWE-264 CWE-908 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Mozilla Thunderbird Client/Desktop applications / Messaging software |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
EUVDB-ID: #VU95420
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7518
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper input interpretation in UI when handling select options. A remote attacler can obscure the fullscreen notification dialog by document content and perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95422
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7519
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error when processing
graphics shared memory. A remote attacker can create a specially crafted
website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Install update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95423
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7520
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95424
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7521
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95431
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7522
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in editor component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.
Install update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95495
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7525
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due missing permission check when creating a StreamFilter. A web extension with minimal permissions can create a StreamFilter, which can be used to read and modify the response body of requests on any site.
Install update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95496
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7526
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in WebGL ANGLE. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95497
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7527
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in JavaScript garbage collection. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95498
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7528
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in IndexedDB. A remote attacker can trick the victim into visiting a specially
crafted website, trigger a use-after-free error and execute arbitrary
code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95500
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7529
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exist due to improper handling of the date picker, which can obscure security prompts. A remote attacker use a malicious site to trick a victim into granting permissions.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 128.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2024-37/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.