Main Vulnerability Database Vulnerabilities #VU66919

#VU66919 Information disclosure in Mozilla Thunderbird - CVE-2022-3033

Published: September 1, 2022 / Updated: October 20, 2022

Vulnerability identifier: #VU66919

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-3033

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Thunderbird

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way Thunderbird handles the meta tag having the http-equiv="refresh" attribute in email messages when the user replies to an email. A remote attacker can send a specially crafted email to the victim and force the application to initiate requests to an external URL regardless of the configuration to block remote content.

Combined with other HTML elements and attributes in the email, it is possible to execute arbitrary JavaScript code included into the malicious message in the context of the message compose document and read or modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/

#VU66919 Information disclosure in Mozilla Thunderbird - CVE-2022-3033

Description

Remediation

External links

Please verify you're human