PT-2022-4601 · Mozilla+10 · Thunderbird+10

Published

2022-08-31

Updated

2024-06-15

CVE-2022-3034

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102.2.1 Thunderbird versions prior to 91.13.1

Description The issue arises when Thunderbird receives an HTML email that specifies loading an iframe element from a remote location, resulting in a request being sent to the remote document, even though the document itself is not displayed by Thunderbird. This can potentially allow a remote attacker to bypass existing security restrictions by sending a specially crafted email.

Recommendations For versions prior to 102.2.1, update to version 102.2.1 or later. For versions prior to 91.13.1, update to version 91.13.1 or later. As a temporary workaround, consider disabling the loading of remote iframe elements in emails until a patch is available.

Fix

Clickjacking

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1021CWE-79

Related Identifiers

ALSA-2022:6708

ALSA-2022:6717

ALT-PU-2022-2570

ALT-PU-2022-2931

ALT-PU-2023-1137

ALT-PU-2023-4335

BDU:2022-05479

CESA-2022_6708

CVE-2022-3034

OPENSUSE-SU-2022_3281-1

OPENSUSE-SU-2024:12299-1

RHSA-2022:6708

RHSA-2022:6710

RHSA-2022:6713

RHSA-2022:6715

RHSA-2022:6716

RHSA-2022:6717

RHSA-2022_6708

RHSA-2022_6710

RHSA-2022_6717

RLSA-2022:6708

SUSE-SU-2022:3281-1

USN-5663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2022-4601 · Mozilla+10 · Thunderbird+10

CVE-2022-3034

Weakness Enumeration

Related Identifiers

Affected Products

References · 109