Description
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
Published: 2025-05-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach via Clickjacking
Action: Apply Patch
AI Analysis

Impact

A clickjacking flaw allowed a malicious site to trick a user into revealing the contents of saved payment card data that resides in the browser or email client. The weakness enables an attacker to read confidential payment details if the user interacts with a manipulated interface, which is classified as a User Interface API Dependency Error (CWE‑1021).

Affected Systems

Mozilla Firefox and Thunderbird are affected. The flaw was fixed in Firefox 139 and Firefox ESR 128.11, as well as in Thunderbird 139 and Thunderbird ESR 128.11. Versions older than these are vulnerable.

Risk and Exploitability

The exploit requires the user to visit or interact with a malicious page that loads the vulnerable UI in an iframe or similar technique. Because the attack depends on user interaction, it does not allow remote code execution; the impact is limited to a confidentiality breach of locked‑in payment information. The CVSS score of 5.4 indicates moderate severity, while the EPSS of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Consequently, the overall risk in an enterprise setting is moderate, with the primary threat being an inadvertent disclosure of stored card details.

Generated by OpenCVE AI on April 20, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 139 or later, or upgrade Firefox ESR to 128.11 or later.
  • Upgrade Mozilla Thunderbird to version 139 or later, or upgrade Thunderbird ESR to 128.11 or later.
  • If an upgrade is not immediately possible, restrict the ability of external sites to load internal browser pages in iframes by applying stricter content‑security‑policy headers or using a browser extension that blocks such embedding.

Generated by OpenCVE AI on April 20, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4191-1 firefox-esr security update
Debian DLA Debian DLA DLA-4194-1 thunderbird security update
Debian DSA Debian DSA DSA-5926-1 firefox-esr security update
Debian DSA Debian DSA DSA-5932-1 thunderbird security update
EUVD EUVD EUVD-2025-18104 A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details Clickjacking vulnerability could have led to leaking saved payment card details

Mon, 16 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11. A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
References

Tue, 10 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Wed, 04 Jun 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 29 May 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Thu, 29 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 27 May 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139 and Firefox ESR < 128.11.
References

Subscriptions

Mozilla Firefox
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:10.584Z

Reserved: 2025-05-27T12:29:25.508Z

Link: CVE-2025-5267

cve-icon Vulnrichment

Updated: 2025-11-03T20:06:07.099Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.507

Modified: 2026-04-13T15:17:04.397

Link: CVE-2025-5267

cve-icon Redhat

Severity : Low

Publid Date: 2025-05-27T12:29:25Z

Links: CVE-2025-5267 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses