CVE-2017-7846

Published: Jun 11, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2.

Affected (13)

Products: Redhat: Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Server Eus, Enterprise Linux Workstation · Debian: Debian Linux · Mozilla: Thunderbird

5 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Workstation

1 product

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 7.5
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Before 52.5.2

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (14)

http://www.securityfocus.com/bid/102258

Source: security@mozilla.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1040123

Source: security@mozilla.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:0061

Source: security@mozilla.org

Third Party Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1411716

Source: security@mozilla.org

Issue TrackingPermissions Required

https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html

Source: security@mozilla.org

Mailing ListThird Party Advisory

https://www.debian.org/security/2017/dsa-4075

Source: security@mozilla.org

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2017-30/

Source: security@mozilla.org

Vendor Advisory

http://www.securityfocus.com/bid/102258

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1040123

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:0061

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1411716

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPermissions Required

https://lists.debian.org/debian-lts-announce/2017/12/msg00026.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.debian.org/security/2017/dsa-4075

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.mozilla.org/security/advisories/mfsa2017-30/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.