Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2022-45414

Published: 22 December 2022

If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.

Priority

Medium

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package Release Status
thunderbird
Launchpad, Ubuntu, Debian
focal
Released (1:102.7.1+build2-0ubuntu0.20.04.1)
jammy
Released (1:102.7.1+build2-0ubuntu0.22.04.1)
xenial Ignored
(end of standard support)
bionic
Released (1:102.7.1+build2-0ubuntu0.18.04.1)
trusty Ignored
(end of standard support)
upstream Needs triage

kinetic
Released (1:102.7.1+build2-0ubuntu0.22.10.1)
lunar
Released (1:102.7.1+build2-0ubuntu1)

Severity score breakdown

Parameter Value
Base score 8.1
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N