Mozilla Thunderbird vulnerabilities

CVE-2022-40956 [MEDIUM] CWE-79 CVE-2022-40956: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and acce When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

CVE-2022-45410 [MEDIUM] CWE-862 CVE-2022-45410: When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request w When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

CVE-2022-31744 [MEDIUM] CWE-79 CVE-2022-31744: An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource: An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

CVE-2022-29911 [MEDIUM] CWE-1021 CVE-2022-29911: An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-acti An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-22748 [MEDIUM] CWE-79 CVE-2022-22748: Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVE-2022-22747 [MEDIUM] CWE-295 CVE-2022-22747: After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificat After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVE-2022-34479 [MEDIUM] CWE-451 CVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address ba A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. *This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102

CVE-2022-46880 [MEDIUM] CWE-416 CVE-2022-46880: A missing check related to tex units could have led to a use-after-free and potentially exploitable A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird

CVE-2022-29913 [MEDIUM] CWE-285 CVE-2022-29913: The parent process would not properly check whether the Speech Synthesis feature is enabled, when re The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.

CVE-2022-22743 [MEDIUM] CVE-2022-22743: When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVE-2022-45411 [MEDIUM] CWE-79 CVE-2022-45411: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an X Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-sta

CVE-2022-28285 [MEDIUM] CWE-125 CVE-2022-28285: When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

CVE-2022-29912 [MEDIUM] CWE-601 CVE-2022-29912: Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-45418 [MEDIUM] CWE-1021 CVE-2022-45418: If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

CVE-2022-29916 [MEDIUM] CWE-200 CVE-2022-29916: Firefox behaved slightly differently for already known resources when loading CSS resources involvin Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-1196 [MEDIUM] CWE-416 CVE-2022-1196: After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

CVE-2022-22739 [MEDIUM] CVE-2022-22739: Malicious websites could have tricked users into accepting launching a program to handle an external Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVE-2022-29914 [MEDIUM] CWE-1021 CVE-2022-29914: When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVE-2022-1197 [MEDIUM] CWE-295 CVE-2022-1197: When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability a

CVE-2022-34472 [MEDIUM] CWE-703 CVE-2022-34472: If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.