CVE-2025-3523

CVSS v2.0

6.6

Medium

Vector

AV:N/AC:H/Au:N/C:P/I:C/A:P

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2

Description The issue arises when an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header. In such cases, only the last link is displayed when hovering over any attachment, despite the correct link being used when the attachment is clicked. This discrepancy could potentially deceive users into downloading content from untrusted sources.

Recommendations For Thunderbird versions prior to 137.0.2, update to version 137.0.2 or later. For Thunderbird versions prior to 128.9.2, update to version 128.9.2 or later.

Fix

UI Misrepresentation of Critical Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-451

Related Identifiers

ALSA-2025:4229

ALSA-2025:4649

ALSA-2025:7435

ALSA-2025:7507

ALT-PU-2025-5887

ALT-PU-2025-7695

BDU:2025-07589

CESA-2025_4649

CVE-2025-3523

DLA-4167-1

DSA-5912-1

INFSA-2025_4229

INFSA-2025_4649

INFSA-2025_7435

OESA-2025-1835

OPENSUSE-SU-2025:15000-1

OPENSUSE-SU-2025_1366-1

RHSA-2025:4229

RHSA-2025:4389

RHSA-2025:4512

RHSA-2025:4513

RHSA-2025:4514

RHSA-2025:4617

RHSA-2025:4649

RHSA-2025:4654

RHSA-2025:4665

RHSA-2025:7435

RHSA-2025:7507

RHSA-2025_4229

RHSA-2025_4649

RHSA-2025_7435

SUSE-SU-2025:1366-1

USN-7663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

CVE-2025-3523

Weakness Enumeration

Related Identifiers

Affected Products

References · 206