CVE-2014-2018

Name of the Vulnerable Software and Affected Versions Mozilla Thunderbird versions 17.x through 17.0.8 Mozilla Thunderbird ESR versions 17.x through 17.0.10 SeaMonkey versions prior to 2.20

Description A cross-site scripting (XSS) issue allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in a (1) OBJECT or (2) EMBED element. This vulnerability can be exploited by sending a specially crafted e-mail message.

Recommendations For Mozilla Thunderbird versions 17.x through 17.0.8, update to a version after 17.0.8 to resolve the issue. For Mozilla Thunderbird ESR versions 17.x through 17.0.10, update to a version after 17.0.10 to resolve the issue. For SeaMonkey versions prior to 2.20, update to version 2.20 or later to resolve the issue. As a temporary workaround, consider disabling the use of OBJECT and EMBED elements in e-mail messages until a patch is available.