Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-3033

EPSS 0.74% · P73
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-3033

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mozilla Thunderbird 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mozilla Thunderbird是美国Mozilla基金会的一套从Mozilla Application Suite独立出来的电子邮件客户端软件。该软件支持IMAP、POP邮件协议以及HTML邮件格式。 Mozilla Thunderbird 存在跨站脚本漏洞,该漏洞源于如果Thunderbird用户回复了一封包含元标签的精心制作的HTML邮件,元标记具有http-equiv=”refresh“属性,以及内容属性指定URL,然后Thunderbird启动对该URL的网络请求URL,而不考虑阻止远程内
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
MozillaThunderbird unspecified ~ 102.2.1 -

II. Public POCs for CVE-2022-3033

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-3033

登录查看更多情报信息。

Same Patch Batch · Mozilla · 2022-12-22 · 175 CVEs total

CVE-2022-36319Mozilla Firefox 安全漏洞
CVE-2022-34481Mozilla Firefox 输入验证错误漏洞
CVE-2022-34482Mozilla Firefox 安全漏洞
CVE-2022-34483Mozilla Firefox 安全漏洞
CVE-2022-34484Mozilla Firefox 资源管理错误漏洞
CVE-2022-34485Mozilla Firefox 缓冲区错误漏洞
CVE-2022-36314Mozilla Firefox 代码问题漏洞
CVE-2022-36315Mozilla Firefox 资源管理错误漏洞
CVE-2022-36316Mozilla Firefox 输入验证错误漏洞
CVE-2022-36317Mozilla Firefox 输入验证错误漏洞
CVE-2022-36318Mozilla Firefox 竞争条件问题漏洞
CVE-2022-38475Mozilla Firefox 安全漏洞
CVE-2022-40957Mozilla Firefox 安全漏洞
CVE-2022-40956Mozilla Firefox 跨站脚本漏洞
CVE-2022-38478Mozilla Firefox 缓冲区错误漏洞
CVE-2022-38477Mozilla Firefox 缓冲区错误漏洞
CVE-2022-38476Mozilla Firefox ESR 资源管理错误漏洞
CVE-2022-38473Mozilla Firefox 安全漏洞
CVE-2022-36320Mozilla Firefox 缓冲区错误漏洞
CVE-2022-38472Mozilla Firefox 访问控制错误漏洞

Showing top 20 of 175 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Thunderbird
Same vendor: Mozilla

V. Comments for CVE-2022-3033

No comments yet

Leave a comment