Jurgen Gaeremyn

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 68.5 **Description** The issue arises when a user saves passwords before Thunderbird 60 and then sets a master password later. The older stored password file remains unencrypted and accessible because it was not deleted when the data was migrated to a new format in Thunderbird 60. The master password is applied only to the new file, potentially exposing stored password data in a way that users do not expect. **Recommendations** For Thunderbird versions prior to 68.5, update to version 68.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 62 Firefox ESR versions prior to 60.2.1 Thunderbird versions prior to 60.2.1 **Description** The issue is related to the storage of passwords in an unencrypted form. If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This could allow the exposure of stored password data outside of user expectations. The vulnerability may allow an attacker to gain unauthorized access to protected information. **Recommendations** For Firefox versions prior to 62, update to version 62 or later to resolve the issue. For Firefox ESR versions prior to 60.2.1, update to version 60.2.1 or later to resolve the issue. For Thunderbird versions prior to 60.2.1, update to version 60.2.1 or later to resolve the issue.