VYPR

Thunderbird

by Mozilla Corporation

Source repositories

CVEs (1,864)

  • CVE-2023-4581MedSep 11, 2023
    risk 0.28cvss 4.3epss 0.01

    Excel `.xll` add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, Thunderbird < 102.15,…

  • CVE-2023-32212MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    An attacker could have positioned a `datalist` element to obscure the address bar. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

  • CVE-2023-32205MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    In multiple cases browser prompts could have been obscured by popups controlled by content. These could have led to potential user confusion and spoofing attacks. This vulnerability affects Firefox < 113, Firefox ESR < 102.11, and Thunderbird < 102.11.

  • CVE-2023-29533MedJun 2, 2023
    risk 0.28cvss 4.3epss 0.01

    A website could have obscured the fullscreen notification by using a combination of window.open, fullscreen requests, window.name assignments, and setInterval calls. This could have led to user confusion and possible spoofing attacks. This…

  • CVE-2022-3034MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

  • CVE-2022-34472MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

  • CVE-2022-26383MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

  • CVE-2022-22743MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.01

    When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

  • CVE-2022-1520MedDec 22, 2022
    risk 0.28cvss 4.3epss 0.00

    When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message…

  • CVE-2021-43546MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.

  • CVE-2021-43538MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR <…

  • CVE-2021-38509MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.02

    Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and…

  • CVE-2021-38508MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.02

    By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability…

  • CVE-2021-38506MedDec 8, 2021
    risk 0.28cvss 4.3epss 0.01

    Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

  • CVE-2021-29957MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    If a MIME encoded email contains an OpenPGP inline signed or encrypted message part, but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected. This vulnerability affects Thunderbird < 78.10.2.

  • CVE-2021-29956MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.01

    OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported…

  • CVE-2021-23992MedJun 24, 2021
    risk 0.28cvss 4.3epss 0.00

    Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted…

  • CVE-2021-23953MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

  • CVE-2021-23969MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid…

  • CVE-2021-23968MedFeb 26, 2021
    risk 0.28cvss 4.3epss 0.01

    If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability…

Page 53 of 94