The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5141 advisory.

  - Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported     memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
    (CVE-2022-29917)

  - When viewing an email message A, which contains an attached message B, where B is encrypted or digitally     signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and     viewing the attached message B, when returning to the display of message A, the message A might be shown     with the security status of message B. This vulnerability affects Thunderbird < 91.9. (CVE-2022-1520)

  - Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the     top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This     vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29909)

  - An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-     activation</code> could lead to script execution without <code>allow-scripts</code> being present. This     vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29911)

  - Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This     vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. (CVE-2022-29912)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DSA-5141-1 : thunderbird - security update

critical Nessus Plugin ID 161401

Version 1.6