Arbitrary Code Injection Affecting thunderbird package, versions [,128.3) [129.0,131)
Threat Intelligence
EPSS
0.09% (41st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-THUNDERBIRD-8145230
- published 2 Oct 2024
- disclosed 1 Oct 2024
- credit Masato Kinugawa
How to fix?
Upgrade thunderbird
to version 128.3, 131 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Injection via a multipart response, in the resource://devtools
origin, which allows an attacker to access cross-origin JSON content.
Note: The Site Isolation feature on desktop clients limits this access to "same site" documents. Full cross-origin access is possible on Android versions.