CVE-2018-5170: It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is…

medium4.3CVSS 3.0

AVNACLPRNUIRSUCNILAN

It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

Affected

29 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	thunderbird	< thunderbird 1:52.8.0-1 (bookworm)	thunderbird 1:52.8.0-1 (bookworm)
mozilla	thunderbird	< 52.8.0	52.8.0
mozilla	thunderbird	>= 0 < 1:52.8.0-1	1:52.8.0-1
mozilla	thunderbird	>= 0 < 1:52.8.0-1	1:52.8.0-1
mozilla	thunderbird	>= 0 < 1:52.8.0-1	1:52.8.0-1
mozilla	thunderbird	>= 0 < 1:52.8.0-1	1:52.8.0-1
mozilla	thunderbird	>= 0 < 1:52.8.0+build1-0ubuntu0.14.04.1	1:52.8.0+build1-0ubuntu0.14.04.1
mozilla	thunderbird	>= 0 < 1:52.8.0+build1-0ubuntu0.16.04.1	1:52.8.0+build1-0ubuntu0.16.04.1
mozilla	thunderbird	>= 0 < 1:52.8.0+build1-0ubuntu0.18.04.1	1:52.8.0+build1-0ubuntu0.18.04.1
mozilla	thunderbird	>= unspecified < 52.8	52.8
mozilla	thunderbird_esr	< 52.8.0	52.8.0
mozilla	thunderbird_esr	>= unspecified < 52.8	52.8
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_eus	—	—

CVSS provenance

nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

osv9.8CRITICAL