CVE-2025-1015 — Cross-site Scripting in Mozilla Thunderbird

CWE-79 — Cross-site Scripting CWE-601 — Open Redirect CWE-787 — Out-of-bounds Write10 documents9 sources

Severity

5.4MEDIUMNVD

EPSS

25.2%

top 3.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird

Timeline

PublishedFeb 4

Latest updateJul 22

Description

The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDmozilla/thunderbird128.0.1 — 128.7.0

▶Debianmozilla/thunderbird< 1:128.7.0esr-1~deb11u1+3

🔴Vulnerability Details

OSV

CVE-2025-1015: The Thunderbird Address Book URI fields contained unsanitized links↗2025-02-04

▶

GHSA

GHSA-w5j5-j57f-hp27: The Thunderbird Address Book URI fields contained unsanitized links↗2025-02-04

▶

CVEList

Unsanitized address book fields↗2025-02-04

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2025-07-22

▶

Red Hat

thunderbird: Unsanitized address book fields↗2025-02-04

▶

Debian

CVE-2025-1015: thunderbird - The Thunderbird Address Book URI fields contained unsanitized links. This could ...↗2025

▶

Microsoft

A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.↗2022-04-12

▶

Mozilla

Mozilla Foundation Security Advisory 2025-10: CVE-2025-1015↗

▶