Detections
Analytics

Mozilla Thunderbird < 52.5.2

high Nessus Plugin ID 275682

Language:

Synopsis

A mail client installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.

Description

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 52.5.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2017-30 advisory.

 - It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via View -> Feed article -> Website or in the standard format of View -> Feed article -> default format. (CVE-2017-7846)

 - A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. (CVE-2017-7845)

 - Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.
 (CVE-2017-7847)

 - RSS fields can inject new lines into the created email structure, modifying the message body.
 (CVE-2017-7848)

 - It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. (CVE-2017-7829)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Mozilla Thunderbird version 52.5.2 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/

Plugin Details

Severity: High

ID: 275682

File Name: macos_thunderbird_52_5_2.nasl

Version: 1.1

Type: local

Agent: macosx

Published: 11/18/2025

Updated: 11/18/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-7845

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2017-7846

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Required KB Items: installed_sw/Mozilla Thunderbird

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/22/2017

Vulnerability Publication Date: 11/16/2017

Reference Information

CVE: CVE-2017-7829, CVE-2017-7845, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848

IAVA: 2017-A-0330-S