Описание
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
The Mozilla Foundation's Security Advisory describes the following issue: It is possible to craft an email that shows a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird automatically accesses the link. The configuration to block remote content does not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.
Отчет
Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | rhel10/thunderbird-flatpak | Affected | ||
| Red Hat Enterprise Linux 6 | thunderbird | Out of support scope | ||
| Red Hat Enterprise Linux 7 | thunderbird | Out of support scope | ||
| Red Hat Enterprise Linux 10 | thunderbird | Fixed | RHSA-2025:8196 | 27.05.2025 |
| Red Hat Enterprise Linux 8 | thunderbird | Fixed | RHSA-2025:8756 | 10.06.2025 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | thunderbird | Fixed | RHSA-2025:8391 | 02.06.2025 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | thunderbird | Fixed | RHSA-2025:8507 | 04.06.2025 |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | thunderbird | Fixed | RHSA-2025:8594 | 05.06.2025 |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | thunderbird | Fixed | RHSA-2025:8594 | 05.06.2025 |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | thunderbird | Fixed | RHSA-2025:8594 | 05.06.2025 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
It was possible to craft an email that showed a tracking link as an at ...
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
6.5 Medium
CVSS3