Main Vulnerability Database Vulnerabilities #VU107465

#VU107465 Spoofing attack in Mozilla Thunderbird - CVE-2025-3523

Published: April 15, 2025

Vulnerability identifier: #VU107465

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-3523

CWE-ID: CWE-451

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Thunderbird

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to perform spoofing attack.

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/
https://bugzilla.mozilla.org/show_bug.cgi?id=1958385
https://www.mozilla.org/en-US/security/advisories/mfsa2025-26/

#VU107465 Spoofing attack in Mozilla Thunderbird - CVE-2025-3523

Description

Remediation

External links

Please verify you're human