CERTVU:863369Mozilla Thunderbird does not adequately restrict HTML elements in email message content
4.3 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.942 High
EPSS
Percentile
99.2%
Overview
Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to.
Description
Vulnerability Lab has reported a vulnerability in the way Mozilla Thunderbird handles HTML elements in email content. Mozilla Thunderbird blocks the creation of certain HTML elements, such as script, when displaying email messages. Traditionally, a script element is created through the use of a <script> HTML tag. HTML elements, including script, can also be created through the use of an <object> tag that specifies a Data URI scheme (RFC 2397). The Data URI can specify a text/html mime type and encode the script in base64. In such cases, Thunderbird will execute the script contained in the email message when it is forwarded or replied to and the outgoing message is in HTML format. Simply displaying the email message does not appear to cause the script to execute.
See Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability for more details.
Testing indicates that Thunderbird 17.0.{6,7,8} are vulnerable. Earlier versions may also be vulnerable.
Impact
By creating a specially-crafted email message, an attacker can cause arbitrary script to execute in Thunderbird when that message is forwarded or replied to.
Solution
Apply an update
Limited testing has shown that Thunderbird versions 24.0 and later are not affected by this vulnerability.
Compose email in plain text format
Disabling the setting to “Compose messages in HTML format” for each email account will help protect against attacks. This will cause outgoing messages to be constructed in plain text, which does not contain HTML elements.
Vendor Information
863369
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Mozilla Affected
Updated: January 27, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| Temporal | 3.9 | E:POC/RL:OF/RC:C |
| Environmental | 2.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://www.vulnerability-lab.com/get_content.php?id=953>
- <https://developer.mozilla.org/en-US/docs/data_URIs>
- <http://tools.ietf.org/html/rfc2397>
Acknowledgements
This vulnerability was reported by Vulnerability Laboratory, who in turn credits Ateeq ur Rehman Khan.
This document was written by Art Manion and Will Dormann.
Other Information
| CVE IDs: | CVE-2013-6674 |
|---|---|
| Date Public: | 2014-01-27 Date First Published: |
Related
4.3 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.942 High
EPSS
Percentile
99.2%