CVE-2025-3523

Published: Apr 15, 2025Modified: Apr 13, 2026

6.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

Exploitability: 1.6 / Impact: 4.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.

Affected (2)

Products: Mozilla: Thunderbird

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Before 128.9.2
Mozilla Thunderbird	From 129.0 to 137.0.2

Related CWEs

User Interface (UI) Misrepresentation of Critical Information

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

References (3)

https://bugzilla.mozilla.org/show_bug.cgi?id=1958385

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-26/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-27/

Source: security@mozilla.org

Vendor Advisory

Timeline

No history available yet.