Vulnerability CVE-2022-45414: Information

Description

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-45414
Published: Dec. 22, 2022
Modified: Aug. 8, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
thunderbirdsisyphus102.5.1-alt1115.9.0-alt1ALT-PU-2022-3279-1311223Fixed
thunderbirdp10102.5.1-alt1115.9.0-alt1ALT-PU-2022-3335-1311239Fixed
thunderbirdp9102.7.1-alt1102.11.0-alt0.c9.1ALT-PU-2023-4335-1319683Fixed
thunderbirdc10f1102.5.1-alt1115.9.0-alt0.c10.1ALT-PU-2022-3335-1311239Fixed
thunderbirdc9f2102.6.1-alt1102.11.0-alt0.c9.1ALT-PU-2023-1137-1309126Fixed
thunderbirdp11102.5.1-alt1115.9.0-alt1ALT-PU-2022-3279-1311223Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
  • Issue Tracking
  • Permissions Required
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-50/
  • Vendor Advisory

    1. Configuration 1

      cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
      End excliding
      102.5.1
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top