Multiple vulnerabilities in Mozilla Thunderbird



| Updated: 2024-09-17
Risk High
Patch available YES
Number of vulnerabilities 16
CVE-ID CVE-2024-6603
CVE-2024-6615
CVE-2024-6604
CVE-2024-6614
CVE-2024-6613
CVE-2024-6612
CVE-2024-6611
CVE-2024-6602
CVE-2024-6606
CVE-2024-6601
CVE-2024-6600
CVE-2024-6610
CVE-2024-6609
CVE-2024-6608
CVE-2024-6607
CVE-2024-7652
CWE-ID CWE-119
CWE-835
CWE-254
CWE-200
CWE-125
CWE-362
CWE-447
CWE-415
CWE-357
CWE-843
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Mozilla Thunderbird
Client/Desktop applications / Messaging software

Vendor Mozilla

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU93897

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6603

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in thread creation. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU94628

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-6615

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU93898

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-6604

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Infinite loop

EUVDB-ID: #VU94627

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6614

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to alter trace data.

The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Infinite loop

EUVDB-ID: #VU94626

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6613

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to alter trace data,

The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Security features bypass

EUVDB-ID: #VU94625

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6612

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass CSP protection mechanism.

The vulnerability exists due to CSP violation leakage when using devtools. CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU94624

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6611

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to SameSite=Strict or Lax cookies could be sent to a nested iframe. A remote attacker can gain access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Buffer overflow

EUVDB-ID: #VU93896

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-6602

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in NSS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Out-of-bounds read

EUVDB-ID: #VU94619

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6606

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in clipboard component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Race condition

EUVDB-ID: #VU93895

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6601

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a race condition in permission assignment. A remote attacker can trick the victim to visit a specially crafted website, bypass cross-origin container obtaining permissions of the top-level origin and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Buffer overflow

EUVDB-ID: #VU93894

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-6600

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebGL API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Note, the vulnerability affects Firefox installations on macOS only.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Unimplemented or Unsupported Feature in UI

EUVDB-ID: #VU94623

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6610

CWE-ID: CWE-447 - Unimplemented or Unsupported Feature in UI

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error in form validation popups. A remote attacker can spam form validation messages to prevent users from exiting full-screen mode.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Double free

EUVDB-ID: #VU94622

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-6609

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in NSS. A remote attacker can force the browser to free an elliptic curve key which was never allocated and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU94621

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6608

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when handling cursor and pointerlock. It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Insufficient UI Warning of Dangerous Operations

EUVDB-ID: #VU94620

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6607

CWE-ID: CWE-357 - Insufficient UI Warning of Dangerous Operations

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way the browsers handles escape button and pointerlock. It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a <select> element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: 125.0 - 127.0

CPE2.3
External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Type Confusion

EUVDB-ID: #VU97413

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-7652

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in the ECMA-262 specification relating to Async Generators. A remote attacker can trick the victim into visiting a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Thunderbird: before 125.0, 127.0, 128.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2024-32/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###