SB2021022319 - Multiple vulnerabilities in Mozilla Thunderbird 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021022319

SB2021022319 - Multiple vulnerabilities in Mozilla Thunderbird

Published: February 23, 2021

Security Bulletin ID SB2021022319
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improperly implemented security check for standard (CVE-ID: CVE-2021-23969)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of W3C Content Security Policy. Under certain types of redirects Firefox incorrectly sets the source file to be the destination of the redirects. A remote attacker can gain knowledge of the destination URL.


2) Improperly implemented security check for standard (CVE-ID: CVE-2021-23968)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect implementation of W3C Content Security Policy. If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. A remote attacker can gain knowledge of sensitive information contained in such URIs.

3) Information disclosure (CVE-ID: CVE-2021-23973)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output via a decoding error, when trying to load a cross-origin resource in an audio/video context. A remote attacker can gain access to information about the resource.


4) Buffer overflow (CVE-ID: CVE-2021-23978)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References