Vulnerability identifier: #VU9733

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7848

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Thunderbird
Client/Desktop applications / Messaging software

Vendor: Mozilla

Description
The disclosed vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient input validation of user-supplied values in HTTP parameters. A remote attacker can inject new lines into the created email structure via specially crafted RSS fields and modify the message body.

Mitigation
Update to version 52.5.2.

Vulnerable software versions

Mozilla Thunderbird: 52.0 - 52.5

---

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2017-30/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.