Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-45414

Опубликовано: 30 нояб. 2022
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

The Mozilla Foundation Security Advisory describes this flaw as: If a Thunderbird user quoted from an HTML email and the email contained either a video tag with the poster attribute or an object tag with a data attribute, a network request to the referenced remote URL was performed regardless of a configuration to block remote content, and an image loaded from the poster attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targeting releases that did not yet have a fix for CVE-2022-3033.

Отчет

Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6thunderbirdOut of support scope
Red Hat Enterprise Linux 7thunderbirdFixedRHSA-2022:907915.12.2022
Red Hat Enterprise Linux 8thunderbirdFixedRHSA-2022:907415.12.2022
Red Hat Enterprise Linux 8.1 Update Services for SAP SolutionsthunderbirdFixedRHSA-2022:907715.12.2022
Red Hat Enterprise Linux 8.2 Advanced Update SupportthunderbirdFixedRHSA-2022:907615.12.2022
Red Hat Enterprise Linux 8.2 Telecommunications Update ServicethunderbirdFixedRHSA-2022:907615.12.2022
Red Hat Enterprise Linux 8.2 Update Services for SAP SolutionsthunderbirdFixedRHSA-2022:907615.12.2022
Red Hat Enterprise Linux 8.4 Extended Update SupportthunderbirdFixedRHSA-2022:907515.12.2022
Red Hat Enterprise Linux 8.6 Extended Update SupportthunderbirdFixedRHSA-2022:907815.12.2022
Red Hat Enterprise Linux 9thunderbirdFixedRHSA-2022:908015.12.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2149868Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content

EPSS

Процентиль: 38%
0.00162
Низкий

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-45414

CVSS3: 8.1
ubuntu
больше 2 лет назад

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

nvd логотип

CVE-2022-45414

CVSS3: 8.1
nvd
больше 2 лет назад

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

debian логотип

CVE-2022-45414

CVSS3: 8.1
debian
больше 2 лет назад

If a Thunderbird user quoted from an HTML email, for example by replyi ...

suse-cvrf логотип

SUSE-SU-2022:4334-1

suse-cvrf
больше 2 лет назад

Security update for MozillaThunderbird

github логотип

GHSA-gvhr-fq94-q7h9

CVSS3: 8.1
github
больше 2 лет назад

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

EPSS

Процентиль: 38%
0.00162
Низкий

8.1 High

CVSS3