high
8.1
CWE
79
Advisory Published
CVE Published
Updated

CVE-2022-3033: XSS

First published: Wed Aug 31 2022(Updated: )

If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'.

Credit: security@mozilla.org

Affected SoftwareAffected VersionHow to fix
<102.2.1
102.2.1
Mozilla Thunderbird<91.13.1
91.13.1
<91.13.1
91.13.1
Mozilla Thunderbird<91.13.1
Mozilla Thunderbird>=102.0<102.2.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the vulnerability ID for this Thunderbird vulnerability?

    The vulnerability ID for this Thunderbird vulnerability is CVE-2022-3033.

  • What is the severity rating of CVE-2022-3033?

    The severity rating of CVE-2022-3033 is high (8.1).

  • What software is affected by CVE-2022-3033?

    The software affected by CVE-2022-3033 is Mozilla Thunderbird versions 91.13.1 up to exclusive 91.13.1 and versions up to exclusive 102.2.1.

  • How can I fix CVE-2022-3033?

    To fix CVE-2022-3033, update to Mozilla Thunderbird version 91.13.1 or version 102.2.1 or newer.

  • Where can I find more information about CVE-2022-3033?

    You can find more information about CVE-2022-3033 in the following references: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1784838), [Mozilla Security Advisory mfsa2022-39](https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/), [Mozilla Security Advisory mfsa2022-38](https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203