Mozilla Thunderbird vulnerabilities

1,818 known vulnerabilities affecting mozilla/thunderbird.

Total CVEs

1,818

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL612HIGH551MEDIUM626LOW29

Vulnerabilities

Page 51 of 91

CVE-2017-7757CRITICALCVSS 9.8fixed in 52.2.0≥ unspecified, < 52.22018-06-11

CVE-2017-7757 [CRITICAL] CWE-416 CVE-2017-7757: A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a m A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

nvd

CVE-2017-5406HIGHCVSS 7.5fixed in 52.0≥ unspecified, < 522018-06-11

CVE-2017-5406 [HIGH] CWE-119 CVE-2017-5406: A segmentation fault can occur in the Skia graphics library during some canvas operations due to iss A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. This vulnerability affects Firefox < 52 and Thunderbird < 52.

nvd

CVE-2018-5184HIGHCVSS 7.5fixed in 52.8.0≥ unspecified, < 52.82018-06-11

CVE-2018-5184 [HIGH] CWE-326 CVE-2018-5184: Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerabili Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.

nvdosv

CVE-2017-5411HIGHCVSS 7.5fixed in 52.0≥ unspecified, < 522018-06-11

CVE-2017-5411 [HIGH] CWE-416 CVE-2017-5411: A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used for WebGL content. The buffer storage can be freed while still in use in some circumstances, leading to a potentially exploitable crash. Note: This issue is in "libGLES", which is only in use on Windows. Other operating systems are not affected. This vulne

nvd

CVE-2018-5178HIGHCVSS 8.1fixed in 52.8.0≥ unspecified, < 52.82018-06-11

CVE-2018-5178 [HIGH] CWE-119 CVE-2018-5178: A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremel A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. This vulnerability affects Thunderbird ESR < 52.8, Thunderbird < 52.8, and Firefox ESR < 52.8.

nvdosv

CVE-2017-7765HIGHCVSS 7.5fixed in 52.2.0≥ unspecified, < 52.22018-06-11

CVE-2017-7765 [HIGH] CWE-20 CVE-2017-7765: The "Mark of the Web" was not correctly saved on Windows when files with very long names were downlo The "Mark of the Web" was not correctly saved on Windows when files with very long names were downloaded from the Internet. Without the Mark of the Web data, the security warning that Windows displays before running executables downloaded from the Internet is not shown. Note: This attack only affects Windows operating systems. Other operating systems are

nvd

CVE-2017-7803HIGHCVSS 7.5fixed in 52.3.0≥ unspecified, < 52.32018-06-11

CVE-2017-7803 [HIGH] CWE-269 CVE-2017-7803: When a page's content security policy (CSP) header contains a "sandbox" directive, other directives When a page's content security policy (CSP) header contains a "sandbox" directive, other directives are ignored. This results in the incorrect enforcement of CSP. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

nvd

CVE-2017-7845HIGHCVSS 8.8fixed in 52.5.2≥ unspecified, < 52.5.22018-06-11

CVE-2017-7845 [HIGH] CWE-119 CVE-2017-7845: A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graph A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaf

nvd

CVE-2017-5421HIGHCVSS 7.5fixed in 52.0.≥ unspecified, < 522018-06-11

CVE-2017-5421 [HIGH] CWE-20 CVE-2017-5421: A malicious site could spoof the contents of the print preview window if popup windows are enabled, A malicious site could spoof the contents of the print preview window if popup windows are enabled, resulting in user confusion of what site is currently loaded. This vulnerability affects Firefox < 52 and Thunderbird < 52.

nvd

CVE-2018-5129HIGHCVSS 8.6fixed in 52.7.0≥ unspecified, < 52.72018-06-11

CVE-2018-5129 [HIGH] CWE-787 CVE-2018-5129: A lack of parameter validation on IPC messages results in a potential out-of-bounds write through ma A lack of parameter validation on IPC messages results in a potential out-of-bounds write through malformed IPC messages. This can potentially allow for sandbox escape through memory corruption in the parent process. This vulnerability affects Thunderbird < 52.7, Firefox ESR < 52.7, and Firefox < 59.

nvdosv

CVE-2017-7807HIGHCVSS 8.1fixed in 52.3.0≥ unspecified, < 52.32018-06-11

CVE-2017-7807 [HIGH] CWE-20 CVE-2017-7807: A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory. This vulnerability affects Thunderbird < 52.3, Firefox ESR < 52.3, and Firefox < 55.

nvd

CVE-2017-5422HIGHCVSS 7.5fixed in 52.0≥ unspecified, < 522018-06-11

CVE-2017-5422 [HIGH] CWE-20 CVE-2017-5422: If a malicious site uses the "view-source:" protocol in a series within a single hyperlink, it can t If a malicious site uses the "view-source:" protocol in a series within a single hyperlink, it can trigger a non-exploitable browser crash when the hyperlink is selected. This was fixed by no longer making "view-source:" linkable. This vulnerability affects Firefox < 52 and Thunderbird < 52.

nvd

CVE-2017-7805HIGHCVSS 7.5v52.4.0≥ unspecified, < 52.42018-06-11

CVE-2017-7805 [HIGH] CWE-416 CVE-2017-7805: During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-fr

nvdosv

CVE-2016-9900HIGHCVSS 7.5fixed in 45.6.0≥ unspecified, < 45.62018-06-11

CVE-2016-9900 [HIGH] CWE-254 CVE-2016-9900: External resources that should be blocked when loaded by SVG images can bypass security restrictions External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.

nvd

CVE-2017-7755HIGHCVSS 7.8fixed in 52.2.0≥ unspecified, < 52.22018-06-11

CVE-2017-7755 [HIGH] CWE-426 CVE-2017-7755: The Firefox installer on Windows can be made to load malicious DLL files stored in the same director The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54

nvd

CVE-2017-7846HIGHCVSS 8.8fixed in 52.5.2≥ unspecified, < 52.5.22018-06-11

CVE-2017-7846 [HIGH] CWE-74 CVE-2017-7846: It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e. It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2.

nvdosv

CVE-2017-7754HIGHCVSS 7.5fixed in 52.2.0≥ unspecified, < 52.22018-06-11

CVE-2017-7754 [HIGH] CWE-125 CVE-2017-7754: An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

nvd

CVE-2017-5467HIGHCVSS 7.5fixed in 52.1.0≥ unspecified, < 52.12018-06-11

CVE-2017-5467 [HIGH] CWE-119 CVE-2017-5467: A potential memory corruption and crash when using Skia content when drawing content outside of the A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.

nvdosv

CVE-2017-5412HIGHCVSS 7.5fixed in 52.0≥ unspecified, < 522018-06-11

CVE-2017-5412 [HIGH] CWE-119 CVE-2017-5412: A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vu A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vulnerability affects Firefox < 52 and Thunderbird < 52.

nvd

CVE-2018-5144HIGHCVSS 7.3fixed in 52.7.0≥ unspecified, < 52.72018-06-11

CVE-2018-5144 [HIGH] CWE-190 CVE-2018-5144: An integer overflow can occur during conversion of text to some Unicode character sets due to an unc An integer overflow can occur during conversion of text to some Unicode character sets due to an unchecked length parameter. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.

nvdosv

← Previous51 / 91Next →