The version of Thunderbird installed on the remote Windows host is prior to 60.8. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-23 advisory.

  - As part of his winning Pwn2Own entry, Niklas Baumstark     demonstrated a sandbox escape by installing a malicious     language pack and then opening a browser feature that     used the compromised translation. (CVE-2019-9811)

  - When an inner window is reused, it does not consider the     use of document.domain for cross-origin     protections. If pages on different subdomains ever     cooperatively use document.domain, then     either page can abuse this to inject script into     arbitrary pages on the other subdomain, even those that     did not use document.domain to relax their     origin security. (CVE-2019-11711)

  - POST requests made by NPAPI plugins, such as Flash, that     receive a status 308 redirect response can bypass CORS     requirements. This can allow an attacker to perform     Cross-Site Request Forgery (CSRF) attacks.
    (CVE-2019-11712)

  - A use-after-free vulnerability can occur in HTTP/2 when     a cached HTTP/2 stream is closed while still in use,     resulting in a potentially exploitable crash.
    (CVE-2019-11713)

  - Empty or malformed p256-ECDH public keys may trigger a     segmentation fault due values being improperly sanitized     before being copied into memory and used.
    (CVE-2019-11729)

  - Due to an error while parsing page content, it is     possible for properly sanitized user input to be     misinterpreted and lead to XSS hazards on web sites in     certain circumstances. (CVE-2019-11715)

  - A vulnerability exists where the caret (^) character     is improperly escaped constructing some URIs due to it     being used as a separator, allowing for possible     spoofing of origin attributes. (CVE-2019-11717)

  - When importing a curve25519 private key in PKCS#8format     with leading 0x00 bytes, it is possible to trigger an     out-of-bounds read in the Network Security Services     (NSS) library. This could lead to information     disclosure. (CVE-2019-11719)

  - A vulnerability exists where if a user opens a locally     saved HTML file, this file can use file:
    URIs to access other files in the same directory or sub-     directories if the names are known or guessed. The Fetch     API can then be used to read the contents of any files     stored in these directories and they may uploaded to a     server. Luigi Gubello demonstrated that in combination     with a popular Android messaging app, if a malicious     HTML attachment is sent to a user and they opened that     attachment in Firefox, due to that app's predictable     pattern for locally-saved file names, it is possible to     read attachments the victim received from other     correspondents. (CVE-2019-11730)

  - Mozilla developers and community members Andreea Pavel,     Christian Holler, Honza Bambas, Jason Kratzer, and Jeff     Gilbert reported memory safety bugs present in Firefox     67, Firefox ESR 60.7, and Thunderbird 60.7. Some of     these bugs showed evidence of memory corruption and we     presume that with enough effort that some of these could     be exploited to run arbitrary code. (CVE-2019-11709)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Mozilla Thunderbird < 60.8

critical Nessus Plugin ID 126704

Version 1.3