If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.
References
Link | Resource |
---|---|
https://bugzilla.mozilla.org/show_bug.cgi?id=1784838 | Issue Tracking Permissions Required Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2022-38/ | Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2022-39/ | Vendor Advisory |
https://bugzilla.mozilla.org/show_bug.cgi?id=1784838 | Issue Tracking Permissions Required Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2022-38/ | Vendor Advisory |
https://www.mozilla.org/security/advisories/mfsa2022-39/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:18
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugzilla.mozilla.org/show_bug.cgi?id=1784838 - Issue Tracking, Permissions Required, Vendor Advisory | |
References | () https://www.mozilla.org/security/advisories/mfsa2022-38/ - Vendor Advisory | |
References | () https://www.mozilla.org/security/advisories/mfsa2022-39/ - Vendor Advisory |
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
References | (MISC) https://www.mozilla.org/security/advisories/mfsa2022-39/ - Vendor Advisory | |
References | (MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1784838 - Issue Tracking, Permissions Required, Vendor Advisory | |
References | (MISC) https://www.mozilla.org/security/advisories/mfsa2022-38/ - Vendor Advisory | |
CPE | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* | |
CWE | CWE-79 |
22 Dec 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-22 20:15
Updated : 2024-11-21 07:18
NVD link : CVE-2022-3033
Mitre link : CVE-2022-3033
CVE.ORG link : CVE-2022-3033
JSON object : View
Products Affected
mozilla
- thunderbird
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')