Kaspersky LabKLA11524KLA11524 Multiple vulnerabilities in Mozilla Thunderbird
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.722 High
EPSS
Percentile
98.1%
Multiple vulnerabilities were found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to bypass security restrictions, spoof user interface, cause denial of service, perform cross-site scripting attack, obtain sensitive information, execute arbitrary code.
Below is a complete list of vulnerabilities:
- Unspecified vulnerability can be exploited Fetch API to bypass security restrictions;
- Unspecified vulnerability in Thunderbird can be exploited via cross-origin protection to bypass security restrictions;
- Unspecified vulnerability in Thunderbird can be exploited to spoof user interface;
- Unspecified vulnerability in Thunderbird can be exploited via p256-ECDH public keys forming to cause denial of service;
- Unspecified vulnerability in Thunderbird can be exploited via parsing page content to perform cross-site scripting;
- A use-after-free vulnerability in Thunderbird can be exploited to cause denial of service;
- Out-of-bounds read vulnerability in Thunderbird can be exploited via importing a curve25519 private key to obtain sensitive information;
- Unspecified vulnerability in Thunderbird can be exploited via NPAPI plugins to perform cross-site scripting;
- Unspecified vulnerability in Thunderbird can be exploited via sandbox to bypass security restrictions;
- Multiple memory corruption vulnerabilities can be exploited to execute arbitrary code.
Original advisories
Related products
CVE list
CVE-2019-9811 high
CVE-2019-11711 high
CVE-2019-11712 high
CVE-2019-11713 critical
CVE-2019-11729 warning
CVE-2019-11715 warning
CVE-2019-11717 warning
CVE-2019-11719 warning
CVE-2019-11730 warning
CVE-2019-11709 critical
Solution
Update to the latest version
Impacts
- ACE
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
- OSI
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- XSS/CSS
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
- SUI
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
Affected Products
- Mozilla Thunderbird earlier than 60.8
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.722 High
EPSS
Percentile
98.1%