CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
95.2%
Multiple memory safety issues were discovered in Thunderbird. If a user
were tricked in to opening a specially crafted message with scripting
enabled, an attacker could possibly exploit these to cause a denial of
service via application crash, or potentially execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2013-1739,
CVE-2013-5590, CVE-2013-5591)
Jordi Chancel discovered that HTML select elements could display arbitrary
content. If a user had scripting enabled, an attacker could potentially
exploit this to conduct URL spoofing or clickjacking attacks.
(CVE-2013-5593)
Abhishek Arya discovered a crash when processing XSLT data in some
circumstances. If a user had scripting enabled, an attacker could
potentially exploit this to execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2013-5604)
Dan Gohman discovered a flaw in the Javascript engine. If a user had
enabled scripting, when combined with other vulnerabilities an attacker
could possibly exploit this to execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2013-5595)
Ezra Pool discovered a crash on extremely large pages. If a user had
scripting enabled, an attacker could potentially exploit this to execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2013-5596)
Byoungyoung Lee discovered a use-after-free when updating the offline
cache. If a user had scripting enabled, an attacker could potentially
exploit this to cause a denial of service via application crash or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2013-5597)
Multiple use-after-free flaws were discovered in Thunderbird. If a user
had scripting enabled, an attacker could potentially exploit these to
cause a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2013-5599,
CVE-2013-5600, CVE-2013-5601)
A memory corruption flaw was discovered in the Javascript engine when
using workers with direct proxies. If a user had scripting enabled, an
attacker could potentially exploit this to cause a denial of service
via application crash or execute arbitrary code with the privileges of
the user invoking Thunderbird. (CVE-2013-5602)
Abhishek Arya discovered a use-after-free when interacting with HTML
document templates. If a user had scripting enabled, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2013-5603)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Ubuntu | 13.10 | noarch | thunderbird | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-dbg | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-dev | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-globalmenu | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-gnome-support | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-gnome-support-dbg | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-af | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-ar | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-ast | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
Ubuntu | 13.10 | noarch | thunderbird-locale-be | < 1:24.1.0+build1-0ubuntu0.13.10.1 | UNKNOWN |
launchpad.net/bugs/1245422
ubuntu.com/security/CVE-2013-1739
ubuntu.com/security/CVE-2013-5590
ubuntu.com/security/CVE-2013-5591
ubuntu.com/security/CVE-2013-5593
ubuntu.com/security/CVE-2013-5595
ubuntu.com/security/CVE-2013-5596
ubuntu.com/security/CVE-2013-5597
ubuntu.com/security/CVE-2013-5599
ubuntu.com/security/CVE-2013-5600
ubuntu.com/security/CVE-2013-5601
ubuntu.com/security/CVE-2013-5602
ubuntu.com/security/CVE-2013-5603
ubuntu.com/security/CVE-2013-5604