CVE-2014-2018 — Cross-site Scripting in Mozilla Seamonkey

CWE-79 — Cross-site Scripting CWE-287 — Improper Authentication24 documents14 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 27.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Seamonkey Mozilla Thunderbird Mozilla Thunderbird ESR

Timeline

PublishedFeb 17

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in a (1) OBJECT or (2) EMBED element, a related issue to CVE-2013-6674.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDmozilla/thunderbird9 versions+8

▶NVDmozilla/thunderbird_esr10 versions+9

▶NVDmozilla/seamonkey2.19+68

🔴Vulnerability Details

GHSA

GHSA-r5wp-hg7f-vr2m: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17↗2022-05-17

▶

CVEList

CVE-2014-2018: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17↗2014-02-17

▶

📋Vendor Advisories

Microsoft

An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping allowing a remote attacker to conduct XSS attacks as d↗2018-12-11

▶

Red Hat

strongswan: authentication bypass in verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c↗2018-09-24

▶

Red Hat

Mozilla: Script execution in HTML mail replies (MFSA 2014-14)↗2014-02-06

▶

🕵️Threat Intelligence

Securelist

Delving deep into VBScript↗2018-07-03

▶

💬Community

Bugzilla

CVE-2014-10071 zsh: buffer overflow for very long fds in >& fd syntax↗2018-02-27

▶

Bugzilla

CVE-2013-6674 CVE-2014-2018 Mozilla: Script execution in HTML mail replies (MFSA 2014-14)↗2014-02-10

▶