PT-2021-6937 · Mozilla+9 · Thunderbird+9

Pedro Batista

·

Published

2021-12-07

·

Updated

2024-06-15

·

CVE-2021-43528

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 91.4.0
Description The issue is related to Thunderbird unexpectedly enabling JavaScript in the composition area, which could be used as a stepping stone to further an attack with other vulnerabilities. The JavaScript execution context was limited to this area and did not receive chrome-level privileges. This vulnerability is associated with insecure privilege management, allowing a remote attacker to bypass JavaScript execution restrictions.
Recommendations For versions prior to 91.4.0, update to version 91.4.0 or later to resolve the issue. As a temporary workaround, consider disabling JavaScript execution in the composition area until a patch is available. Restrict access to sensitive features in the composition area to minimize the risk of exploitation.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

ALSA-2021:5045
ALT-PU-2021-3510
ALT-PU-2021-3541
ALT-PU-2021-3582
ALT-PU-2022-1783
BDU:2022-02701
CESA-2021_5045
CVE-2021-43528
DLA-2874-1
DSA-5034-1
MGASA-2021-0554
OPENSUSE-SU-2021:1635-1
OPENSUSE-SU-2021:4150-1
OPENSUSE-SU-2021_1635-1
OPENSUSE-SU-2021_4150-1
OPENSUSE-SU-2024:11670-1
RHSA-2021:5045
RHSA-2021:5046
RHSA-2021:5047
RHSA-2021:5048
RHSA-2021:5055
RHSA-2021_5045
RHSA-2021_5046
RLSA-2021:5045
SUSE-SU-2021:4150-1
USN-5246-1
USN-5248-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Thunderbird
Ubuntu