Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, spoof the UI, bypass CSP restrictions, or execute arbitrary code. (CVE-2022-2200, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31744, CVE-2022-31747, CVE-2022-34468, CVE-2022-34470, CVE-2022-34479, CVE-2022-34481, CVE-2022-34484) It was discovered that an unavailable PAC file caused OCSP requests to be blocked, resulting in incorrect error pages being displayed. (CVE-2022-34472) It was discovered that the Braille space character could be used to cause Thunderbird to display the wrong sender address for signed messages. An attacker could potentially exploit this to trick the user into believing a message had been sent from somebody they trusted. (CVE-2022-1834) It was discovered that Thunderbird would consider an email with a mismatched OpenPGP signature date as valid. An attacker could potentially exploit this by replaying an older message in order to trick the user into believing that the statements in the message are current. (CVE-2022-2226)
Continue reading...
Continue reading...
