PT-2020-14568 · Mozilla+3 · Thunderbird+3

Magnus Melin

Published

2020-06-30

Updated

2021-07-21

CVE-2020-15646

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 68.10.0

Description The issue arises when an attacker intercepts Thunderbird's initial attempt to set up an account automatically using the Microsoft Exchange autodiscovery mechanism. If the attacker sends a crafted response, Thunderbird will send the username and password over https to a server controlled by the attacker.

Recommendations For versions prior to 68.10.0, update to version 68.10.0 or later to resolve the issue. As a temporary workaround, consider disabling the autodiscovery mechanism for Microsoft Exchange until a patch is applied. Restrict access to sensitive information and avoid using automatic account setup features until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2020-2709

ALT-PU-2020-2934

ALT-PU-2021-1369

CESA-2020_3038

CVE-2020-15646

DSA-4718-1

RHSA-2020:2906

RHSA-2020:2907

RHSA-2020:2966

RHSA-2020:3038

RHSA-2020:3046

RHSA-2020_2906

RHSA-2020_2966

RHSA-2020_3038

Affected Products

Alt Linux

Centos

Red Hat

Thunderbird

PT-2020-14568 · Mozilla+3 · Thunderbird+3

CVE-2020-15646

Related Identifiers

Affected Products

References · 20