Cross-site Scripting (XSS) Affecting thunderbird package, versions <0:102.3.0-3.0.1.el8_6


Severity

Recommended
0.0
high
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.14% (50th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE8-THUNDERBIRD-3035099
  • published29 Sept 2022
  • disclosed22 Dec 2022

Introduced: 29 Sep 2022

CVE-2022-3033  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Oracle:8 thunderbird to version 0:102.3.0-3.0.1.el8_6 or higher.
This issue was patched in ELSA-2022-6708.

NVD Description

Note: Versions mentioned in the description apply only to the upstream thunderbird package and not the thunderbird package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

CVSS Scores

version 3.1