CVE-2022-3032 — Externally Controlled Reference to a Resource in Another Sphere in Mozilla Thunderbird

CWE-610 — Externally Controlled Reference to a Resource in Another Sphere CWE-1021 — UI Misrepresentation / Clickjacking CWE-863 — Incorrect Authorization10 documents8 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.4%

top 38.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Debian Thunderbird Mozilla Firefox

Timeline

PublishedDec 22

Description

When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/thunderbird< thunderbird 1:102.2.1-1 (bookworm)

▶CVEListV5mozilla/thunderbirdunspecified — 102.2.1+1

▶NVDmozilla/thunderbird102.0 — 102.2.1+1

▶Debianmozilla/thunderbird< 1:102.2.1-1+2

▶Ubuntumozilla/thunderbird< 1:102.2.2+build1-0ubuntu0.18.04.1+2

🔴Vulnerability Details

GHSA

GHSA-2xmh-3jxc-r2w6: When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specifi↗2022-12-22

▶

OSV

CVE-2022-3032: When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specifi↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-10-07

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-10-07

▶

Red Hat

Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked↗2022-08-31

▶

Debian

CVE-2022-3032: thunderbird - When receiving an HTML email that contained an <code>iframe</code> element, whic...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-39: CVE-2022-3032↗

▶

Mozilla

Mozilla Foundation Security Advisory 2022-38: CVE-2022-3032↗

▶

📐Framework References

CWE

Externally Controlled Reference to a Resource in Another Sphere↗

▶