icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Mozilla Thunderbird < 17.0.8 XSS

Medium

Synopsis

The remote host has a mail client installed that is vulnerable to multiple Cross-site scripting (XSS) attacks.

Description

Versions of Mozilla Thunderbird prior to 17.0.8 are affected by the following vulnerabilities :

- A flaw exists because the program does not validate URLs in IFRAME elements before returning it to users. (OSVDB 102566) - A flaw exists because the program does not validate input when handling a specially crafted EMBED or OBJECT element. (OSVDB 103429)

These vulnerabilities may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to Thunderbird 17.0.8 or later.