Vulnerability-Lookup

CVE-2025-3522 (GCVE-0-2025-3522)

Vulnerability from cvelistv5 – Published: 2025-04-15 15:06 – Updated: 2025-04-15 19:05

Summary

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

Leak of hashed Window credentials via crafted attachment URL

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=1955372
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Thunderbird

Affected: unspecified , < 137.0.2 (custom)

Mozilla

Thunderbird

Affected: unspecified , < 128.9.2 (custom)

Credits

Dario Weißer

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-3522",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T18:49:37.244746Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-601",
                "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T19:05:13.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "137.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.9.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Dario Wei\u00dfer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2."
            }
          ],
          "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Leak of hashed Window credentials via crafted attachment URL",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-15T15:06:13.599Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-26/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-27/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-3522",
    "datePublished": "2025-04-15T15:06:13.599Z",
    "dateReserved": "2025-04-11T15:23:30.875Z",
    "dateUpdated": "2025-04-15T19:05:13.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-3522\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T18:49:37.244746Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T19:02:33.423Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"value\": \"Dario Wei\\u00dfer\"}], \"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"137.0.2\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"128.9.2\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1955372\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2025-26/\"}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2025-27/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Leak of hashed Window credentials via crafted attachment URL\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2025-04-15T15:06:13.599Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-3522\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T19:05:13.896Z\", \"dateReserved\": \"2025-04-11T15:23:30.875Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2025-04-15T15:06:13.599Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2025-AVI-0317

Vulnerability from certfr_avis - Published: 2025-04-16 - Updated: 2025-04-16

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Mozilla	Firefox	Firefox versions antérieures à 137.0.2
Mozilla	Thunderbird ESR	Thunderbird ESR versions antérieures à 128.9.2
Mozilla	Thunderbird	Thunderbird versions antérieures à 137.0.2

References

Title

Publication Time

cve-2025-3522

Vulnerability from osv_almalinux

Published

2025-04-28 00:00

Modified

2025-04-28 19:32

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)
thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)
thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.9.2-1.el9_5.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)\n  * thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)\n  * thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:4229",
  "modified": "2025-04-28T19:32:51Z",
  "published": "2025-04-28T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:4229"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2830"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3522"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3523"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359786"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359789"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359793"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2025-4229.html"
    }
  ],
  "related": [
    "CVE-2025-3523",
    "CVE-2025-2830",
    "CVE-2025-3522"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2025-3522

Vulnerability from osv_almalinux

Published

2025-05-07 00:00

Modified

2025-05-08 18:46

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)
thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)
thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.9.2-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)\n  * thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)\n  * thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:4649",
  "modified": "2025-05-08T18:46:21Z",
  "published": "2025-05-07T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:4649"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2830"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3522"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3523"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359786"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359789"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359793"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-4649.html"
    }
  ],
  "related": [
    "CVE-2025-3523",
    "CVE-2025-2830",
    "CVE-2025-3522"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2025-3522

Vulnerability from osv_almalinux

Published

2025-05-13 00:00

Modified

2025-07-02 12:26

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)
thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)
thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)
firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083)
firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.10.0-1.el10_0.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)\n  * thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)\n  * thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)\n  * firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)\n  * firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)\n  * firefox: thunderbird: Process isolation bypass using \"javascript:\" URI links in cross-origin frames (CVE-2025-4083)\n  * firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)\n  * firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:7507",
  "modified": "2025-07-02T12:26:26Z",
  "published": "2025-05-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:7507"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2817"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2830"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3522"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3523"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4083"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4087"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4093"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359786"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359789"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359793"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2362902"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2362904"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2362907"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2362912"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2362915"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2025-7507.html"
    }
  ],
  "related": [
    "CVE-2025-3523",
    "CVE-2025-2830",
    "CVE-2025-3522",
    "CVE-2025-2817",
    "CVE-2025-4087",
    "CVE-2025-4083",
    "CVE-2025-4091",
    "CVE-2025-4093"
  ],
  "summary": "Important: thunderbird security update"
}

cve-2025-3522

Vulnerability from osv_almalinux

Published

2025-05-13 00:00

Modified

2025-05-21 06:27

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)
thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)
thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "128.10.0-1.el9_6.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.  \n\nSecurity Fix(es):  \n\n  * thunderbird: User Interface (UI) Misrepresentation of attachment URL (CVE-2025-3523)\n  * thunderbird: Information Disclosure of /tmp directory listing (CVE-2025-2830)\n  * thunderbird: Leak of hashed Window credentials via crafted attachment URL (CVE-2025-3522)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:7435",
  "modified": "2025-05-21T06:27:59Z",
  "published": "2025-05-13T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:7435"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2830"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3522"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3523"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359786"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359789"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2359793"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2025-7435.html"
    }
  ],
  "related": [
    "CVE-2025-3523",
    "CVE-2025-2830",
    "CVE-2025-3522"
  ],
  "summary": "Important: thunderbird security update"
}

FKIE_CVE-2025-3522

Vulnerability from fkie_nvd - Published: 2025-04-15 15:16 - Updated: 2025-06-18 13:26

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1955372	Permissions Required
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2025-26/	Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2025-27/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	mozilla	thunderbird	*
	mozilla	thunderbird	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D11A3908-71D7-4967-8029-0D4DD57F384C",
              "versionEndExcluding": "128.9.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "971D9339-D135-4B63-A4DA-E333080DA5E6",
              "versionEndExcluding": "137.0.2",
              "versionStartIncluding": "129.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2."
    },
    {
      "lang": "es",
      "value": "Thunderbird procesa el encabezado X-Mozilla-External-Attachment-URL para gestionar los archivos adjuntos alojados externamente. Al abrir un correo electr\u00f3nico, Thunderbird accede a la URL especificada para determinar el tama\u00f1o del archivo y la accede cuando el usuario hace clic en el archivo adjunto. Dado que la URL no est\u00e1 validada ni depurada, puede hacer referencia a recursos internos como enlaces a chrome:// o a recursos compartidos SMB file://, lo que podr\u00eda provocar una fuga de credenciales de Windows con hash y dar lugar a problemas de seguridad m\u00e1s graves. Esta vulnerabilidad afecta a Thunderbird (versi\u00f3n anterior a la 137.0.2) y Thunderbird (versi\u00f3n anterior a la 128.9.2)."
    }
  ],
  "id": "CVE-2025-3522",
  "lastModified": "2025-06-18T13:26:04.983",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-15T15:16:09.877",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-26/"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-27/"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-78FW-W53R-PGWG

Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-04-15 21:31

Details

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-3522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T15:16:09Z",
    "severity": "MODERATE"
  },
  "details": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird \u003c 137.0.2 and Thunderbird \u003c 128.9.2.",
  "id": "GHSA-78fw-w53r-pgwg",
  "modified": "2025-04-15T21:31:42Z",
  "published": "2025-04-15T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3522"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-26"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-3522 (GCVE-0-2025-3522)

CERTFR-2025-AVI-0317

Solutions

cve-2025-3522

Vulnerability from osv_almalinux

cve-2025-3522

Vulnerability from osv_almalinux

cve-2025-3522

Vulnerability from osv_almalinux

cve-2025-3522

Vulnerability from osv_almalinux

FKIE_CVE-2025-3522

GHSA-78FW-W53R-PGWG

Tags

Sightings

Nomenclature