PT-2022-7524 · Mozilla+8 · Thunderbird+8

Sarah Jamie Lewis

·

Published

2022-11-30

·

Updated

2024-06-15

·

CVE-2022-45414

CVSS v2.0

9.4

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102.5.1
Description The issue is related to the handling of HTML emails in Thunderbird. When a user quotes from an HTML email, for example by replying to it, and the email contains certain tags like VIDEO with the POSTER attribute or OBJECT with a DATA attribute, a network request to the referenced remote URL is performed. This happens regardless of the configuration to block remote content. An image loaded from the POSTER attribute is shown in the composer window. This could give an attacker additional capabilities.
Recommendations For versions prior to 102.5.1, update to version 102.5.1 or later to resolve the issue. As a temporary workaround, consider avoiding quoting from HTML emails that contain VIDEO or OBJECT tags until the update is applied. Restrict access to remote content in the email client settings to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALSA-2022:9074
ALSA-2022:9080
ALT-PU-2022-3279
ALT-PU-2022-3335
ALT-PU-2023-1137
ALT-PU-2023-4335
BDU:2024-06950
CESA-2022_9074
CVE-2022-45414
DSA-5303-1
MGASA-2022-0452
OPENSUSE-SU-2022_4334-1
OPENSUSE-SU-2024:12544-1
RHSA-2022:9074
RHSA-2022:9075
RHSA-2022:9076
RHSA-2022:9077
RHSA-2022:9078
RHSA-2022:9079
RHSA-2022:9080
RHSA-2022:9081
RHSA-2022_9074
RHSA-2022_9079
RHSA-2022_9080
SUSE-SU-2022:4334-1
SUSE-SU-2022_4334-1
USN-5824-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Suse
Thunderbird
Ubuntu