SB2025052307 - SUSE update for MozillaThunderbird
Published: May 23, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-3875)
The vulnerability allows a remote attacker to perform a spoofing attack
The vulnerability exists due to insufficient validation of email addresses. A remote attacker can spoof the sender email address via a specially crafted "From" field in the email..
2) Input validation error (CVE-ID: CVE-2025-3877)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect handling of "mailbox:///" links. A remote attacker can trick the victim into clicking on such a link and force the application into downloading arbitrary file or leak credentials.
3) Input validation error (CVE-ID: CVE-2025-3909)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to incorrect handling of the X-Mozilla-External-Attachment-URL header. A remote attacker can create a nested email attachment, set its content type to application/pdf and force the application to execute arbitrary JavaScript code in the file:/// context.
4) Information disclosure (CVE-ID: CVE-2025-3932)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect handling of tracking links. A remote attacker can create a specially crafted email message that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link.
Remediation
Install update from vendor's website.