If an attacker intercepts Thunderbird’s initial attempt to perform automatic account setup using the Microsoft Exchange autodiscovery mechanism, and the attacker sends a crafted response, then Thunderbird sends username and password over https to a server controlled by the attacker. This vulnerability affects Thunderbird < 68.10.0.
[
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "68.10.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]