CVE-2021-43528 — Improper Privilege Management in Mozilla Thunderbird

CWE-269 — Improper Privilege Management CWE-281 — Improper Preservation of Permissions9 documents7 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.9%

top 24.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Debian Linux +1 more

Timeline

PublishedDec 8

Latest updateJan 21

Description

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:91.4.0-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 91.4.0

▶NVDmozilla/thunderbird< 91.4.0

▶Debianmozilla/thunderbird< 1:91.4.1-1~deb11u1+3

▶Ubuntumozilla/thunderbird< 1:91.5.0+build1-0ubuntu0.18.04.1+1

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

OSV

thunderbird vulnerabilities↗2022-01-21

▶

GHSA

GHSA-q4gq-74cq-85g9: Thunderbird unexpectedly enabled JavaScript in the composition area↗2021-12-09

▶

OSV

CVE-2021-43528: Thunderbird unexpectedly enabled JavaScript in the composition area↗2021-12-08

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Red Hat

Mozilla: JavaScript unexpectedly enabled for the composition area↗2021-12-07

▶

Debian

CVE-2021-43528: thunderbird - Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScr...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-54: CVE-2021-43528↗

▶