Synopsis
The remote host has a mail client installed that is vulnerable to multiple Cross-site scripting (XSS) attacks.
Description
Versions of Mozilla Thunderbird prior to 17.0.8 are affected by the following vulnerabilities :
- A flaw exists because the program does not validate URLs in IFRAME elements before returning it to users.
- A flaw exists because the program does not validate input when handling a specially crafted EMBED or OBJECT element.
These vulnerabilities may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Solution
Upgrade to Thunderbird 17.0.8 or later.