REDHAT-BUG-2359786
First published: Tue Apr 15 2025(Updated: )
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Thunderbird | <137.0.2 | |
| Thunderbird | <128.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of REDHAT-BUG-2359786?
The severity of REDHAT-BUG-2359786 is moderate as it can mislead users with incorrect hover text.
How do I fix REDHAT-BUG-2359786?
To fix REDHAT-BUG-2359786, upgrade to the latest version of Mozilla Thunderbird, specifically beyond version 137.0.2 or 128.9.2.
What impact does REDHAT-BUG-2359786 have on users?
REDHAT-BUG-2359786 may trick users into downloading potentially harmful attachments due to misleading hover text.
Is REDHAT-BUG-2359786 a critical security issue?
REDHAT-BUG-2359786 is not classified as a critical security issue but still poses a risk to user awareness.
which versions of Thunderbird are affected by REDHAT-BUG-2359786?
Versions of Thunderbird prior to 137.0.2 and 128.9.2 are affected by REDHAT-BUG-2359786.
- agent/references
- agent/source
- agent/last-modified-date
- agent/severity
- agent/description
- agent/type
- agent/first-publish-date
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-3523
- vendor/mozilla
- canonical/thunderbird