SB2022052103 - Multiple vulnerabilities in Mozilla Thunderbird 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022052103

SB2022052103 - Multiple vulnerabilities in Mozilla Thunderbird

Published: May 21, 2022 Updated: August 20, 2022

Security Bulletin ID SB2022052103
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Code Injection (CVE-ID: CVE-2022-1802)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to prototype pollution in Top-Level Await implementation. A remote attacker can trick the victim to visit a specially crafted website, corrupt the methods of an Array object in JavaScript via prototype pollution and execute arbitrary JavaScript code in a privileged context.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.


2) Input validation error (CVE-ID: CVE-2022-1529)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input within the NotificationsDB module. A remote attacker can trick the victim to visit a specially crafted web page, which passes malicious messages to the parent process where the contents is used to double-index into a JavaScript object. As a result, an attacker can perform prototype pollution and execute arbitrary JavaScript code in the privileged parent process.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.


Remediation

Install update from vendor's website.

References