Severity

Medium

Analysis Summary

CVE-2022-36059 CVSS:6.5
Mozilla Thunderbird is vulnerable to a denial of service, caused by an error when using the Matrix chat protocol. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to make it not show all of a user’s rooms or spaces and/or causing minor temporary corruption.

CVE-2022-3034 CVSS:6.5
Mozilla Thunderbird could allow a remote attacker to obtain sensitive information, caused by an error when receiving an HTML email that specified to load an iframe element from a remote location. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to trigger a network request to the remote document.

CVE-2022-3032 CVSS:6.5
Mozilla Thunderbird could allow a remote attacker to bypass security restrictions, caused by the failure to block remote content specified in an HTML document that was nested inside an iframe’s srcdoc attribute. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to access the network.

CVE-2022-3033 CVSS:8.1
Mozilla Thunderbird could allow a remote attacker to obtain sensitive information, caused by the leaking of sensitive information when composing a response to an HTML email with a META refresh tag. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to read and modify the contents of the message compose document.

Impact

• Denial of Service
• Information Disclosure
• Security Bypass

Indicators Of Compromise

CVE

• CVE-2022-36059
• CVE-2022-3034
• CVE-2022-3032
• CVE-2022-3033

Affected Vendors

Mozilla

Affected Products

• Mozilla Thunderbird 102.2

Remediation

Refer to Mozilla Security Advisory for patch, upgrade or suggested workaround information.
Mozilla Security Advisory