CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
99.2%
Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1303, CVE-2009-1305, CVE-2009-1392, CVE-2009-1833,
CVE-2009-1838)
Several flaws were discovered in the way Thunderbird processed malformed
URI schemes. If a user were tricked into viewing a malicious website and
had JavaScript and plugins enabled, a remote attacker could execute
arbitrary JavaScript or steal private data. (CVE-2009-1306, CVE-2009-1307,
CVE-2009-1309)
Cefn Hoile discovered Thunderbird did not adequately protect against
embedded third-party stylesheets. If JavaScript were enabled, an attacker
could exploit this to perform script injection attacks using XBL bindings.
(CVE-2009-1308)
Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang discovered that
Thunderbird did not properly handle error responses when connecting to a
proxy server. If a user had JavaScript enabled while using Thunderbird to
view websites and a remote attacker were able to perform a
machine-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2009-1836)
It was discovered that Thunderbird could be made to run scripts with
elevated privileges. If a user had JavaScript enabled while having
certain non-default add-ons installed and were tricked into viewing a
malicious website, an attacker could cause a chrome privileged object, such
as the browser sidebar, to run arbitrary code via interactions with the
attacker controlled website. (CVE-2009-1841)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 9.04 | noarch | thunderbird | < 2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1 | UNKNOWN |
Ubuntu | 9.04 | noarch | thunderbird | < dev-2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1 | UNKNOWN |
Ubuntu | 9.04 | noarch | thunderbird | < gnome-support-2.0.0.22+build1+nobinonly-0ubuntu0.9.04.1 | UNKNOWN |
Ubuntu | 8.10 | noarch | thunderbird | < 2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1 | UNKNOWN |
Ubuntu | 8.10 | noarch | thunderbird | < dev-2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1 | UNKNOWN |
Ubuntu | 8.10 | noarch | thunderbird | < gnome-support-2.0.0.22+build1+nobinonly-0ubuntu0.8.10.1 | UNKNOWN |
Ubuntu | 8.04 | noarch | thunderbird | < 2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1 | UNKNOWN |
Ubuntu | 8.04 | noarch | thunderbird-dev | < 2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1 | UNKNOWN |
Ubuntu | 8.04 | noarch | thunderbird-gnome-support | < 2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1 | UNKNOWN |
ubuntu.com/security/CVE-2009-1303
ubuntu.com/security/CVE-2009-1305
ubuntu.com/security/CVE-2009-1306
ubuntu.com/security/CVE-2009-1307
ubuntu.com/security/CVE-2009-1308
ubuntu.com/security/CVE-2009-1309
ubuntu.com/security/CVE-2009-1392
ubuntu.com/security/CVE-2009-1833
ubuntu.com/security/CVE-2009-1836
ubuntu.com/security/CVE-2009-1838
ubuntu.com/security/CVE-2009-1841