8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
72.4%
Severity: High
Date : 2020-12-16
CVE-ID : CVE-2020-16042 CVE-2020-26970 CVE-2020-26971 CVE-2020-26973
CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1315
The package thunderbird before version 78.6.0-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing
and information disclosure.
Upgrade to 78.6.0-1.
The problems have been fixed upstream in version 78.6.0.
None.
An uninitialized use security issue has been found in the V8 component
of the chromium browser before version 87.0.4280.88 and Firefox before
84.0.
When reading SMTP server status codes, Thunderbird before 78.5.1 writes
an integer value to a position on the stack that is intended to contain
just one byte. Depending on processor architecture and stack layout,
this leads to stack corruption that may be exploitable.
A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6 where certain blit values provided by the user were not
properly constrained, leading to a heap buffer overflow on some video
drivers.
A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6 where certain input to the CSS Sanitizer confused it,
resulting in incorrect components being removed. This could have been
used as a sanitizer bypass.
A security issue was found in Firefox before 84.0 and Thunderbird
before 78.6. When flex-basis was used on a table wrapper, a
StyleGenericFlexBasis object could have been incorrectly cast to the
wrong type. This resulted in a heap user-after-free, memory corruption,
and a potentially exploitable crash.
A security issue was discovered in Firefox before 84.0 and Thunderbird
before 78.6. Using techniques that built on the slipstream research, a
malicious webpage could have exposed both an internal network’s hosts
as well as services running on the user’s local machine.
A security issue was discovered in Firefox before 84.0 and Thunderbird
before 78.6. When an extension with the proxy permission registered to
receive <all_urls>, the proxy.onRequest callback was not triggered for
view-source URLs. While web content cannot navigate to such URLs, a
user opening View Source could have inadvertently leaked their IP
address.
Mozilla developer Christian Holler reported memory safety bugs present
in Firefox 83, Firefox ESR 78.5 and Thunderbird 78.5. Some of these
bugs showed evidence of memory corruption and Mozilla presumes that
with enough effort some of these could have been exploited to run
arbitrary code.
A remote attacker might be able to access sensitive information, spoof
content or execute arbitrary code. Note that in general these flaws
cannot be exploited through email in the Thunderbird product because
scripting is disabled when reading mail, but are potentially risks in
browser or browser-like contexts.
https://bugs.archlinux.org/task/68853
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/
https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html
https://crbug.com/1151890
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-16042
https://bugzilla.mozilla.org/show_bug.cgi?id=1679003
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53/#CVE-2020-26970
https://bugzilla.mozilla.org/show_bug.cgi?id=1677338
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26971
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26971
https://bugzilla.mozilla.org/show_bug.cgi?id=1663466
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26973
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26973
https://bugzilla.mozilla.org/show_bug.cgi?id=1680084
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26974
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26974
https://bugzilla.mozilla.org/show_bug.cgi?id=1681022
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26978
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26978
https://bugzilla.mozilla.org/show_bug.cgi?id=1677047
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35111
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35111
https://bugzilla.mozilla.org/show_bug.cgi?id=1657916
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35113
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35113
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1664831%2C1673589
https://security.archlinux.org/CVE-2020-16042
https://security.archlinux.org/CVE-2020-26970
https://security.archlinux.org/CVE-2020-26971
https://security.archlinux.org/CVE-2020-26973
https://security.archlinux.org/CVE-2020-26974
https://security.archlinux.org/CVE-2020-26978
https://security.archlinux.org/CVE-2020-35111
https://security.archlinux.org/CVE-2020-35113
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | thunderbird | < 78.6.0-1 | UNKNOWN |
bugs.archlinux.org/task/68853
bugzilla.mozilla.org/buglist.cgi?bug_id=1664831%2C1673589
bugzilla.mozilla.org/show_bug.cgi?id=1657916
bugzilla.mozilla.org/show_bug.cgi?id=1663466
bugzilla.mozilla.org/show_bug.cgi?id=1677047
bugzilla.mozilla.org/show_bug.cgi?id=1677338
bugzilla.mozilla.org/show_bug.cgi?id=1679003
bugzilla.mozilla.org/show_bug.cgi?id=1680084
bugzilla.mozilla.org/show_bug.cgi?id=1681022
chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html
crbug.com/1151890
security.archlinux.org/AVG-1315
security.archlinux.org/CVE-2020-16042
security.archlinux.org/CVE-2020-26970
security.archlinux.org/CVE-2020-26971
security.archlinux.org/CVE-2020-26973
security.archlinux.org/CVE-2020-26974
security.archlinux.org/CVE-2020-26978
security.archlinux.org/CVE-2020-35111
security.archlinux.org/CVE-2020-35113
www.mozilla.org/en-US/security/advisories/mfsa2020-53/
www.mozilla.org/en-US/security/advisories/mfsa2020-53/#CVE-2020-26970
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-16042
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26971
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26973
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26974
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26978
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35111
www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35113
www.mozilla.org/en-US/security/advisories/mfsa2020-56/
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26971
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26973
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26974
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-26978
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35111
www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35113
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
72.4%