Medium severity6.4NVD Advisory· Published Apr 15, 2025· Updated Apr 13, 2026
CVE-2025-3523
CVE-2025-3523
Description
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <128.9.2
- (no CPE)range: before 128.9.2 and before 137.0.2
- osv-coords5 versionspkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6
< 128.9.2-1.el9_5.alma.1+ 4 more
- (no CPE)range: < 128.9.2-1.el9_5.alma.1
- (no CPE)range: < 128.9.2-150200.8.209.1
- (no CPE)range: < 128.9.2-1.1
- (no CPE)range: < 128.9.2-150200.8.209.1
- (no CPE)range: < 128.9.2-150200.8.209.1
Patches
Vulnerability mechanics
References
3- www.mozilla.org/security/advisories/mfsa2025-26/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-27/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.