| VID |
28927 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The version of Thunderbird installed on the remote Windows host is prior to 78.14. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-42 advisory.
- When delegating navigations to the operating system, Thunderbird would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. This bug only affects Thunderbird for Windows. Other operating systems are unaffected. (CVE-2021-38492)
- Mozilla developers Tyson Smith and Gabriele Svelto reported memory safety bugs present in Thunderbird 78.13. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2021-38493)
* References:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-42/
* Platforms Affected:
Mozilla Foundation, Thunderbird versions prior to 78.14
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Thunderbird (78.14 or later), available from the Mozilla Web site at http://www.mozilla.com/thunderbird/ |
| Related URL |
CVE-2021-38492,CVE-2021-38493 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
