Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Thunderbird < 17.0.8 XSS

Medium

Synopsis

The remote host has a mail client installed that is vulnerable to multiple Cross-site scripting (XSS) attacks.

Description

Versions of Mozilla Thunderbird prior to 17.0.8 are affected by the following vulnerabilities :

- A flaw exists because the program does not validate URLs in IFRAME elements before returning it to users. (OSVDB 102566) - A flaw exists because the program does not validate input when handling a specially crafted EMBED or OBJECT element. (OSVDB 103429)

These vulnerabilities may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to Thunderbird 17.0.8 or later.