SUSE update for MozillaThunderbird

1) Information disclosure

EUVDB-ID: #VU107464

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-2830

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when handling attachment in a multipart message. A remote attacker can trick the victim into forwarding a specially crafted email and force Thunderbird to include in the message a directory listing of /tmp.

Mitigation

Update the affected package MozillaThunderbird to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Workstation Extension 15: SP6

SUSE Package Hub 15: 15-SP6

SUSE Linux Enterprise Real Time 15: SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

SUSE Linux Enterprise Desktop 15: SP6

MozillaThunderbird: before 128.9.2-150200.8.209.1

MozillaThunderbird-debugsource: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-other: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-common: before 128.9.2-150200.8.209.1

MozillaThunderbird-debuginfo: before 128.9.2-150200.8.209.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:a:suse:mozillathunderbird:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-other:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debuginfo:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251366-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU107463

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-3522

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a missing URL validation when processing the X-Mozilla-External-Attachment-URL header to handle externally hosted attachments. A remote attacker can send a specially crafted email to the victim that contains a link with an internally referenced document, such as "chrome://" or "chrome://" and force Thunderbird to share hashed Windows credentials with that URL, leading to information disclosure.

Mitigation

Update the affected package MozillaThunderbird to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Workstation Extension 15: SP6

SUSE Package Hub 15: 15-SP6

SUSE Linux Enterprise Real Time 15: SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

SUSE Linux Enterprise Desktop 15: SP6

MozillaThunderbird: before 128.9.2-150200.8.209.1

MozillaThunderbird-debugsource: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-other: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-common: before 128.9.2-150200.8.209.1

MozillaThunderbird-debuginfo: before 128.9.2-150200.8.209.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:a:suse:mozillathunderbird:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-other:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debuginfo:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251366-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Spoofing attack

EUVDB-ID: #VU107465

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-3523

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

Mitigation

Update the affected package MozillaThunderbird to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Workstation Extension 15: SP6

SUSE Package Hub 15: 15-SP6

SUSE Linux Enterprise Real Time 15: SP6

openSUSE Leap: 15.6

SUSE Linux Enterprise Server for SAP Applications 15: SP6

SUSE Linux Enterprise Server 15: SP6

SUSE Linux Enterprise Desktop 15: SP6

MozillaThunderbird: before 128.9.2-150200.8.209.1

MozillaThunderbird-debugsource: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-other: before 128.9.2-150200.8.209.1

MozillaThunderbird-translations-common: before 128.9.2-150200.8.209.1

MozillaThunderbird-debuginfo: before 128.9.2-150200.8.209.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_workstation_extension_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_package_hub_15:15-SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP6:*:*:*:*:*:*:*
• cpe:2.3:a:suse:mozillathunderbird:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-other:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-translations-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:mozillathunderbird-debuginfo:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251366-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.