Vulnerability identifier: #VU87104
Vulnerability risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mozilla Thunderbird
Client/Desktop applications /
Messaging software
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Thunderbird when handling local cache. The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third party.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Mozilla Thunderbird: 115.0 - 115.8.0
External links
http://bugzilla.mozilla.org/show_bug.cgi?id=1860977
http://www.mozilla.org/security/advisories/mfsa2024-11/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.