First published: Tue Feb 04 2025(Updated: )
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Thunderbird | <128.7 | 128.7 |
Thunderbird | >=128.0.1<128.7.0 | |
Thunderbird | <135 | 135 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
The severity of CVE-2025-1015 is considered high due to the potential for a malicious payload being executed when an address book is imported.
To fix CVE-2025-1015, upgrade to Thunderbird version 128.8 or later, which addresses the vulnerability.
CVE-2025-1015 can be exploited through crafted address books that contain unsanitized links leading to potential phishing or malware attacks.
Users of Mozilla Thunderbird versions up to 128.7 are affected by CVE-2025-1015 and should take immediate action to upgrade.
If you have imported an affected address book related to CVE-2025-1015, it is recommended to delete the imported contacts and scan your system for potential malware.