thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

The Mozilla Foundation's Security Advisory describes the following issue: It is possible to craft an email that shows a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird automatically accesses the link. The configuration to block remote content does not...

thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

The Mozilla Foundation's Security Advisory describes the following issue: It is possible to craft an email that shows a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird automatically accesses the link. The configuration to block remote content does not...

Important: thunderbird

Issue Overview: Through a series of popup and window.print calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR 102.5, Thunderbird 102.5, and Firefo...

Important: thunderbird

Issue Overview: Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an invalid value "Spoofed Name ", Thunderbird treats [email protected] as the actual address. This...

CVE-2025-5082

The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachmentid’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

CVE-2025-5082

The WP Attachments plugin for WordPress (up to and including version 5.0.12) is vulnerable to Reflected Cross-Site Scripting via the attachment_id parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages t...

CVE-2025-5082 WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter

The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachmentid’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

PT-2025-23065 · WordPress · Wp Attachments

Name of the Vulnerable Software and Affected Versions: WP Attachments plugin for WordPress versions up to, and including, 5.0.12 Description: The issue is related to Reflected Cross-Site Scripting, which allows unauthenticated attackers to inject arbitrary web scripts in pages. This is possible d...

WordPress plugin WP Attachments 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. WordPress WP Attachments plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied dat...

JetBrains YouTrack Access Control Error Vulnerability

JetBrains YouTrack is a project management tool developed by JetBrains that supports cloud hosting and local deployment. JetBrains YouTrack suffers from an Access Control Error vulnerability that stems from the disclosure of restricted attachments during a cloning issue, which can be exploited by...

thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

The Mozilla Foundation's Security Advisory describes the following issue: It is possible to craft an email that shows a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird automatically accesses the link. The configuration to block remote content does not...

thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking

The Mozilla Foundation's Security Advisory describes the following issue: It is possible to craft an email that shows a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird automatically accesses the link. The configuration to block remote content does not...

CVE-2024-52513

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to...

CVE-2024-27448

MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file...

CVE-2024-32464

Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a richtextarea tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2...

CVE-2024-4274

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the removepropertyattachmentajax function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2024-3230

The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'download-attachments' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-27845

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in iOS 17.5 and iPadOS 17.5. An app may be able to access Notes attachments...

CVE-2024-23188

Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users...

CVE-2023-22504

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature...