CVE-2023-50761 — Improper Verification of Cryptographic Signature in Mozilla Thunderbird
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 59.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 19
Latest updateJan 2
Description
The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4
Affected Packages4 packages
Also affects: Debian Linux 11.0, 12.0
🔴Vulnerability Details
4OSV▶
CVE-2023-50761: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time↗2023-12-19
GHSA▶
GHSA-86pm-w7xp-8c7p: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time↗2023-12-19
CVEList▶
CVE-2023-50761: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time↗2023-12-19
📋Vendor Advisories
4Debian▶
CVE-2023-50761: thunderbird - The signature of a digitally signed S/MIME email message may optionally specify ...↗2023