Dario Weißer

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 128.11.1 Thunderbird versions prior to 139.0.2 **Description** A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. **Recommendations** For Thunderbird versions prior to 128.11.1, update to version 128.11.1 or later to resolve the issue. For Thunderbird versions prior to 139.0.2, update to version 139.0.2 or later to resolve the issue. As a temporary workaround, consider disabling HTML mode for email viewing until a patch is available. Restrict access to external content when viewing emails in HTML mode to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1 Description: A crafted HTML email using `mailbox:///` links can trigger automatic, unsolicited downloads of `.pdf` files to the user's desktop or home directory without prompting. This behavior can be abused to fill the disk with garbage data or to leak Windows credentials via SMB links when the email is viewed in HTML mode. Viewing the email in HTML mode is enough to load external content. Recommendations: For Thunderbird versions prior to 128.10.1, update to version 128.10.1 or later to resolve the issue. For Thunderbird versions prior to 138.0.1, update to version 138.0.1 or later to resolve the issue. As a temporary workaround, consider disabling HTML mode for email viewing until a patch is available. Restrict access to external content when viewing emails in HTML mode to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1 Description: The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which can be exploited to execute JavaScript in the file:/// context. This is achieved by crafting a nested email attachment with a content type set to application/pdf, causing Thunderbird to incorrectly render it as HTML when opened. As a result, the embedded JavaScript can run without requiring a file download. This behavior is possible because Thunderbird auto-saves the attachment to /tmp and links to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. Recommendations: For versions prior to 128.10.1, update to version 128.10.1 or later to resolve the issue. For versions prior to 138.0.1, update to version 138.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the automatic rendering of attachments as HTML until a patch is available. Restrict access to attachments with the application/pdf content type to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1 Description: The issue allowed an attacker to craft an email that showed a tracking link as an attachment. When the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent this behavior. The problem has been fixed to prevent access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. Recommendations: For versions prior to 128.10.1, update to version 128.10.1 or later to resolve the issue. For versions prior to 138.0.1, update to version 138.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2 **Description** The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which allows for external attachments. When an email is opened, Thunderbird accesses the specified URL to determine file size and navigates to it when the user clicks the attachment. Since the URL is not validated or sanitized, it can reference internal resources like `chrome://` or SMB share `file://` links. This potentially leads to hashed Windows credential leakage and opens the door to more serious security issues. **Recommendations** For versions prior to 137.0.2, update to version 137.0.2 or later. For versions prior to 128.9.2, update to version 128.9.2 or later. As a temporary workaround, consider restricting access to external attachments until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2 **Description** The issue allows an attacker to disclose sensitive information from the victim's system by crafting a malformed file name for an attachment in a multipart message, tricking Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This behavior is not limited to Linux and has also been observed on Windows. **Recommendations** For versions prior to 137.0.2, update to version 137.0.2 or later. For versions prior to 128.9.2, update to version 128.9.2 or later. As a temporary workaround, consider avoiding the use of malformed file names for attachments in multipart messages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2 **Description** The issue arises when an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header. In such cases, only the last link is displayed when hovering over any attachment, despite the correct link being used when the attachment is clicked. This discrepancy could potentially deceive users into downloading content from untrusted sources. **Recommendations** For Thunderbird versions prior to 137.0.2, update to version 137.0.2 or later. For Thunderbird versions prior to 128.9.2, update to version 128.9.2 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns a denial of service (DoS) vulnerability in the Linux kernel. Specifically, when the `ceph mdsc build path()` function attempts to build a path longer than `PATH MAX`, it enters an endless loop, effectively blocking the task and making most of the machine unusable. This vulnerability is considered simple and effective. The retry mechanism in this function seems unnecessary and harmful. To address this, the function will now fail with `ENAMETOOLONG` instead of retrying. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the `ceph mdsc build path()` function until a patch is available. Restrict access to paths that could potentially exceed `PATH MAX` to minimize the risk of exploitation. Avoid using paths longer than `PATH MAX` in the affected `ceph mdsc build path()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.5.37 PHP versions 5.6.x prior to 5.6.23 **Description** The issue is related to improper interaction between the SPL extension and the unserialize implementation, along with garbage collection. This can be exploited by remote attackers using crafted serialized data, potentially leading to the execution of arbitrary code or a denial of service, resulting in a use-after-free condition and application crash. **Recommendations** For PHP versions prior to 5.5.37, update to version 5.5.37 or later. For PHP versions 5.6.x prior to 5.6.23, update to version 5.6.23 or later.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.5.37 PHP versions 5.6.x prior to 5.6.23 PHP versions 7.x prior to 7.0.8 **Description** The issue is related to the improper interaction between the `php zip.c` component in the PHP zip extension and the unserialize implementation and garbage collection. This allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a `ZipArchive` object. The vulnerability is related to the use of memory after it has been freed, which can be exploited by an attacker to execute arbitrary PHP code or cause a denial of service. **Recommendations** For PHP versions prior to 5.5.37, update to version 5.5.37 or later. For PHP versions 5.6.x prior to 5.6.23, update to version 5.6.23 or later. For PHP versions 7.x prior to 7.0.8, update to version 7.0.8 or later. As a temporary workaround, consider disabling the `ZipArchive` object in serialized data to minimize the risk of exploitation.