Lucene search

K
kasperskyKaspersky LabKLA11488
HistoryMay 21, 2019 - 12:00 a.m.

KLA11488 Multiple vulnerabilities in Mozilla Thunderbird

2019-05-2100:00:00
Kaspersky Lab
threats.kaspersky.com
34
mozilla thunderbird
vulnerabilities
security bypass
sensitive information
denial of service
arbitrary code execution

AI Score

10

Confidence

Low

EPSS

0.536

Percentile

97.7%

Multiple vulnerabilities were found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to bypass security restrictions, obtain sensitive information, cause denial of service, execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. A type confusion vulnerability can be exploited remotely to bypass security restrictions;
  2. A cross-origin resource sharing vulnerability can be exploited remotely via a canvas to obtain sensitive information;
  3. A use-after-free vulnerability in crash generation server can be exploited remotely to cause denial of service or bypass security restrictions;
  4. A compartment mismatch vulnerability can be exploited to cause denial of service;
  5. A use-after-free vulnerability in the chrome event handler can be exploited to cause denial of service;
  6. A use-after-free vulnerability in XMLHttpRequest can be exploited to cause denial of service;
  7. A use-after-free vulnerability in the event listener manager can be exploited to cause denial of service;
  8. A use-after-free vulnerability in the png_image_free function in the libpng library can be exploited to cause denial of service;
  9. A cross-origin resource sharing vulnerability in createImageBitmap can be exploited to obtain sensitive information;
  10. A cross-origin resource sharing vulnerability in ImageBitmapRenderingContext can be exploited to obtain sensitive information;
  11. A memory leakage vulnerability in the Windows sandbox can be exploited to obtain sensitive information;
  12. An unspecified vulnerability can be exploited remotely via drag and drop of hyperlinks to and from bookmarks to obtain sensitive information;
  13. An out-of-bounds read vulnerability can be exploited to obtain sensitive information;
  14. Multiple memory corruption vulnerabilities can be exploited to execute arbitrary code.

Original advisories

mfsa2019-15

Related products

Mozilla-Thunderbird

CVE list

CVE-2018-18511 warning

CVE-2019-5798 warning

CVE-2019-9797 warning

CVE-2019-9816 warning

CVE-2019-9817 warning

CVE-2019-9818 high

CVE-2019-9819 critical

CVE-2019-9820 critical

CVE-2019-11691 critical

CVE-2019-11692 critical

CVE-2019-7317 warning

CVE-2019-11694 warning

CVE-2019-11698 warning

CVE-2019-9800 critical

CVE-2019-9815 high

CVE-2019-11693 critical

Solution

Update to the latest version

Impacts

  • ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

  • OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

  • DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

  • SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

  • SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

  • Mozilla Thunderbird earlier than 60.7