Security update: Prepared mails could be dangerous for Thunderbird
An important security update for the mail client Thunderbird has been released. The developers have thus closed four gaps.
Mozilla’s Thunderbird is vulnerable. If victims respond to a manipulated email, they could unknowingly transmit information to an attacker-controlled website. A DoS attack is also conceivable.
The most dangerous is the data leak gap (CVE-2022-3033 “high“). If victims respond to an email with certain HTML attributes and elements, attackers could execute JavaScript code in the context of the document to compose the message. According to Mozilla, they could thereby change the content or parts of the response to one of them Redirect controlled URL Thunderbird users who have set the default message text display setting to “simple html” or “plain text” are unaffected by the vulnerability.
Attackers could also target three other vulnerabilities and cause a DoS condition when using the matrix chat protocol, for example. These vulnerabilities are identified as “moderate” classified. The developers state that the security problems in Thunderbird 102.2.1 to have solved.