U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:mozilla:thunderbird:0.1
There are 1,123 matching records.
Displaying matches 201 through 220.
Vuln ID Summary CVSS Severity
CVE-2022-22748

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:16 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-22747

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:16 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-22746

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:15 PM -0500
V3.1: 5.9 MEDIUM
V2.0:(not available)
CVE-2022-22745

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:15 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-22744

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.<br>*This bug only affects Thunderbird for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:15 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-22743

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:15 PM -0500
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-22742

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-22741

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-22740

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-22739

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-22738

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-22737

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Published: December 22, 2022; 3:15:14 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-1834

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature. This vulnerability affects Thunderbird < 91.10.

Published: December 22, 2022; 3:15:13 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-1802

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.

Published: December 22, 2022; 3:15:13 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-1529

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.

Published: December 22, 2022; 3:15:13 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-1520

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.

Published: December 22, 2022; 3:15:13 PM -0500
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-1197

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8.

Published: December 22, 2022; 3:15:13 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-1196

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

Published: December 22, 2022; 3:15:12 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-1097

<code>NSSToken</code> objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Published: December 22, 2022; 3:15:12 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-0566

It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message. This vulnerability affects Thunderbird < 91.6.1.

Published: December 22, 2022; 3:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)