PT-2025-21188 · Mozilla+11 · Thunderbird+11

Dario Weißer

Published

2025-05-13

Updated

2025-10-01

CVE-2025-3932

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1

Description: The issue allowed an attacker to craft an email that showed a tracking link as an attachment. When the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent this behavior. The problem has been fixed to prevent access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.

Recommendations: For versions prior to 128.10.1, update to version 128.10.1 or later to resolve the issue. For versions prior to 138.0.1, update to version 138.0.1 or later to resolve the issue.

Fix

Authentication Bypass Using an Alternate Path or Channel

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-200

Related Identifiers

ALSA-2025:8196

ALSA-2025:8756

ALT-PU-2025-11495

ALT-PU-2025-8611

BDU:2025-08557

CESA-2025_8756

CVE-2025-3932

DLA-4167-1

DSA-5921-1

INFSA-2025_8203

INFSA-2025_8756

MGASA-2025-0168

OESA-2025-1835

OPENSUSE-SU-2025:15131-1

OPENSUSE-SU-2025_01660-1

RHSA-2025:8196

RHSA-2025:8203

RHSA-2025:8324

RHSA-2025:8325

RHSA-2025:8326

RHSA-2025:8391

RHSA-2025:8507

RHSA-2025:8594

RHSA-2025:8756

RHSA-2025:8784

RHSA-2025_8203

RHSA-2025_8756

SUSE-SU-2025:01660-1

SUSE-SU-2025:01660-2

USN-7663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2025-21188 · Mozilla+11 · Thunderbird+11

CVE-2025-3932

Weakness Enumeration

Related Identifiers

Affected Products

References · 221