Количество 25
Количество 25
CVE-2025-2830
By crafting a malformed file name for an attachment in a multipart mes ...
GHSA-g6gh-87cw-x396
By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
GHSA-78fw-w53r-pgwg
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
BDU:2025-06569
Уязвимость почтового клиента Thunderbird, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю раскрыть защищаемую информацию
BDU:2025-06555
Уязвимость почтового клиента Thunderbird, связанная с переадресацией URL на ненадежный сайт, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| CVE-2025-2830 By crafting a malformed file name for an attachment in a multipart mes ... | CVSS3: 6.3 | 0% Низкий | 7 месяцев назад |
| GHSA-g6gh-87cw-x396 By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | CVSS3: 6.3 | 0% Низкий | 7 месяцев назад |
| GHSA-78fw-w53r-pgwg Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. | CVSS3: 6.3 | 0% Низкий | 7 месяцев назад |
 | BDU:2025-06569 Уязвимость почтового клиента Thunderbird, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю раскрыть защищаемую информацию | CVSS3: 6.3 | 0% Низкий | 7 месяцев назад |
| BDU:2025-06555 Уязвимость почтового клиента Thunderbird, связанная с переадресацией URL на ненадежный сайт, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес | CVSS3: 6.3 | 0% Низкий | 7 месяцев назад |
Уязвимостей на страницу