CVE-2022-3033

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102.2.1 Thunderbird versions prior to 91.13.1

Description The issue is related to how Thunderbird handles certain HTML emails. If a user replies to a crafted HTML email containing a meta tag with the http-equiv="refresh" attribute and a content attribute specifying a URL, Thunderbird initiates a network request to that URL, regardless of the configuration to block remote content. This can lead to the execution of JavaScript code included in the message, allowing actions such as reading and modifying the message compose document, including potentially decrypted plaintext of encrypted data. The contents could then be transmitted to the network. Users who have changed the default message body display setting to 'simple html' or 'plain text' are not affected.

Recommendations For Thunderbird versions prior to 102.2.1, update to version 102.2.1 or later. For Thunderbird versions prior to 91.13.1, update to version 91.13.1 or later. As a temporary workaround, consider changing the default Message Body display setting to 'simple html' or 'plain text' to minimize the risk of exploitation.