CVE-2022-3032

Published: Dec 22, 2022Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Affected (2)

Products: Mozilla: Thunderbird

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Before 91.13.1
Mozilla Thunderbird	From 102.0 to 102.2.1

Related CWEs

Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1783831

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2022-38/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-39/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1783831

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2022-38/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-39/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.