PT-2022-4610 · Mozilla+10 · Thunderbird+10

Sarah Jamie Lewis

Published

2022-08-31

Updated

2024-06-15

CVE-2022-3032

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102.2.1 Thunderbird versions prior to 91.13.1

Description The issue is related to errors in processing input data in the Thunderbird email client. It can be exploited by a remote attacker by sending a specially crafted email with an iframe element that uses a srcdoc attribute to define the inner HTML document. This allows the attacker to bypass existing security restrictions. When receiving an HTML email with an iframe element that uses a srcdoc attribute, remote objects specified in the nested document, such as images or videos, are not blocked and are loaded and displayed.

Recommendations For versions prior to 102.2.1, update to version 102.2.1 or later to resolve the issue. For versions prior to 91.13.1, update to version 91.13.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of iframe elements with srcdoc attributes in emails until a patch is available.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610CWE-79

Related Identifiers

ALSA-2022:6708

ALSA-2022:6717

ALT-PU-2022-2570

ALT-PU-2022-2931

ALT-PU-2023-1137

ALT-PU-2023-4335

BDU:2022-05488

CESA-2022_6708

CVE-2022-3032

OPENSUSE-SU-2022_3281-1

OPENSUSE-SU-2024:12299-1

RHSA-2022:6708

RHSA-2022:6710

RHSA-2022:6713

RHSA-2022:6715

RHSA-2022:6716

RHSA-2022:6717

RHSA-2022_6708

RHSA-2022_6710

RHSA-2022_6717

RLSA-2022:6708

SUSE-SU-2022:3281-1

USN-5663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2022-4610 · Mozilla+10 · Thunderbird+10

CVE-2022-3032

Weakness Enumeration

Related Identifiers

Affected Products

References · 109