Sarah Jamie Lewis

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 102.5.1 **Description** The issue is related to the handling of HTML emails in Thunderbird. When a user quotes from an HTML email, for example by replying to it, and the email contains certain tags like VIDEO with the POSTER attribute or OBJECT with a DATA attribute, a network request to the referenced remote URL is performed. This happens regardless of the configuration to block remote content. An image loaded from the POSTER attribute is shown in the composer window. This could give an attacker additional capabilities. **Recommendations** For versions prior to 102.5.1, update to version 102.5.1 or later to resolve the issue. As a temporary workaround, consider avoiding quoting from HTML emails that contain VIDEO or OBJECT tags until the update is applied. Restrict access to remote content in the email client settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 102.2.1 Thunderbird versions prior to 91.13.1 **Description** The issue is related to how Thunderbird handles certain HTML emails. If a user replies to a crafted HTML email containing a `meta` tag with the `http-equiv="refresh"` attribute and a content attribute specifying a URL, Thunderbird initiates a network request to that URL, regardless of the configuration to block remote content. This can lead to the execution of JavaScript code included in the message, allowing actions such as reading and modifying the message compose document, including potentially decrypted plaintext of encrypted data. The contents could then be transmitted to the network. Users who have changed the default message body display setting to 'simple html' or 'plain text' are not affected. **Recommendations** For Thunderbird versions prior to 102.2.1, update to version 102.2.1 or later. For Thunderbird versions prior to 91.13.1, update to version 91.13.1 or later. As a temporary workaround, consider changing the default Message Body display setting to 'simple html' or 'plain text' to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 102.2.1 Thunderbird versions prior to 91.13.1 **Description** The issue is related to errors in processing input data in the Thunderbird email client. It can be exploited by a remote attacker by sending a specially crafted email with an `iframe` element that uses a `srcdoc` attribute to define the inner HTML document. This allows the attacker to bypass existing security restrictions. When receiving an HTML email with an `iframe` element that uses a `srcdoc` attribute, remote objects specified in the nested document, such as images or videos, are not blocked and are loaded and displayed. **Recommendations** For versions prior to 102.2.1, update to version 102.2.1 or later to resolve the issue. For versions prior to 91.13.1, update to version 91.13.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of `iframe` elements with `srcdoc` attributes in emails until a patch is available.