PT-2025-4128 · Mozilla+10 · Thunderbird+10

R3M0T3Nu11

Published

2025-02-04

Updated

2025-10-08

CVE-2025-1015

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 128.7

Description The Thunderbird Address Book URI fields contained unsanitized links, which could be used by an attacker to create and export an address book containing a malicious payload in a field, such as the "Other" field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute unprivileged JavaScript.

Recommendations For Thunderbird versions prior to 128.7, update to version 128.7 or later to resolve the issue. As a temporary workaround, consider avoiding the import of address books from untrusted sources to minimize the risk of exploitation. Restrict access to the Address Book URI fields to prevent the creation and export of malicious address books.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2025:1184

ALSA-2025:1292

ALT-PU-2025-4001

ALT-PU-2025-7695

BDU:2025-02315

CESA-2025_1292

CVE-2025-1015

DLA-4045-1

DSA-5861-1

INFSA-2025_1184

INFSA-2025_1292

MGASA-2025-0048

OESA-2025-1835

OPENSUSE-SU-2025:14731-1

OPENSUSE-SU-2025_0405-1

RHSA-2025:1184

RHSA-2025:1292

RHSA-2025:1317

RHSA-2025:1318

RHSA-2025:1319

RHSA-2025:1339

RHSA-2025:1340

RHSA-2025:1341

RHSA-2025:1348

RHSA-2025_1184

RHSA-2025_1292

RLSA-2025:1292

SUSE-SU-2025:0405-1

USN-7663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2025-4128 · Mozilla+10 · Thunderbird+10

CVE-2025-1015

Weakness Enumeration

Related Identifiers

Affected Products

References · 232