Product:

Thunderbird

(Mozilla)
Repositories https://github.com/libevent/libevent
#Vulnerabilities 1351
Date Id Summary Products Score Patch Annotated
2022-12-22 CVE-2022-3266 An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Firefox, Firefox_esr, Thunderbird 5.5
2022-12-22 CVE-2022-40956 When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Firefox, Firefox_esr, Thunderbird 6.1
2022-12-22 CVE-2022-22761 Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Firefox, Firefox_esr, Thunderbird 8.8
2022-12-22 CVE-2022-22760 When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Firefox, Firefox_esr, Thunderbird 6.5
2022-12-22 CVE-2022-22763 When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6. Firefox, Firefox_esr, Thunderbird 8.8
2022-12-22 CVE-2022-26381 An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. Firefox, Firefox_esr, Thunderbird 8.8
2022-12-22 CVE-2022-26383 When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. Firefox, Firefox_esr, Thunderbird 4.3
2022-12-22 CVE-2022-26384 If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. Firefox, Firefox_esr, Thunderbird 9.6
2022-12-22 CVE-2022-26387 When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. Firefox, Firefox_esr, Thunderbird 7.5
2022-12-22 CVE-2022-26485 Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. Firefox, Firefox_esr, Firefox_focus, Thunderbird 8.8