{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3033", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "dateUpdated": "2024-08-03T00:53:00.849Z", "dateReserved": "2022-08-29T00:00:00", "datePublished": "2022-12-22T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2022-12-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv=\"refresh\"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1."}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"version": "unspecified", "lessThan": "102.2.1", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "91.13.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-38/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-39/"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1784838"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Leaking of sensitive information when composing a response to an HTML email with a META refresh tag"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:53:00.849Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mozilla.org/security/advisories/mfsa2022-38/", "tags": ["x_transferred"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2022-39/", "tags": ["x_transferred"]}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1784838", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "76F28FD2-6BE5-43C4-93B5-051739E3600E", "versionEndExcluding": "91.13.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "576EEF40-52A5-4876-843C-2648CBA74475", "versionEndExcluding": "102.2.1", "versionStartIncluding": "102.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv=\"refresh\"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1."}, {"lang": "es", "value": "Si un usuario de Thunderbird respondi\u00f3 a un correo electr\u00f3nico HTML manipulado que contiene una etiqueta <code>meta</code>, y la etiqueta <code>meta</code> tiene el atributo <code>http-equiv=\"refresh\"</code> , y el atributo de contenido que especifica una URL, Thunderbird inici\u00f3 una solicitud de red a esa URL, independientemente de la configuraci\u00f3n para bloquear contenido remoto. En combinaci\u00f3n con otros elementos y atributos HTML del correo electr\u00f3nico, era posible ejecutar el c\u00f3digo JavaScript incluido en el mensaje en el contexto del documento de redacci\u00f3n del mensaje. El c\u00f3digo JavaScript pudo realizar acciones que incluyen, entre otras, leer y modificar el contenido del documento de redacci\u00f3n del mensaje, incluido el mensaje original citado, que potencialmente podr\u00eda contener el texto plano descifrado de los datos cifrados en el correo electr\u00f3nico elaborado. Luego, el contenido podr\u00eda transmitirse a la red, ya sea a la URL especificada en la etiqueta de actualizaci\u00f3n META o a una URL diferente, ya que el c\u00f3digo JavaScript podr\u00eda modificar la URL especificada en el documento. Este error no afecta a los usuarios que han cambiado la configuraci\u00f3n predeterminada de visualizaci\u00f3n del cuerpo del mensaje a \"html simple\" o \"texto plano\". Esta vulnerabilidad afecta a Thunderbird &lt; 102.2.1 y Thunderbird &lt; 91.13.1."}], "id": "CVE-2022-3033", "lastModified": "2024-11-21T07:18:40.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-22T20:15:37.947", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1784838"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-38/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-39/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1784838"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-38/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2022-39/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Sarah Jamie Lewis as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:6710", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:102.3.0-3.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6708", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:102.3.0-3.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6716", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "thunderbird-0:102.3.0-3.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6715", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:102.3.0-3.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6713", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "thunderbird-0:102.3.0-3.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-09-26T00:00:00Z"}, {"advisory": "RHSA-2022:6717", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:102.3.0-3.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-26T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag", "id": "2123256", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123256"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-200", "details": ["If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv=\"refresh\"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.", "A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a Thunderbird user replying to a crafted HTML email containing a `meta` tag, with the `meta` tag having the `http-equiv=\"refresh\"` attribute and the content attribute specifying an URL. Thunderbird started a network request to that URL, regardless of the configuration, to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, reading and modifying the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text.'"], "name": "CVE-2022-3033", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2022-08-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3033\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3033\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-38/#CVE-2022-3033\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-39/#CVE-2022-3033"], "threat_severity": "Important", "upstream_fix": "thunderbird 91.13.1, thunderbird 102.2.1"}