CVE-2022-31739 The % character was not escaped when downloading on Windows, which could have lead to files being saved to attacker-influenced paths.

When downloading files, Thunderbird and Firefox sometimes incorrectly used the %HOMEPATH% variable as the location to save the downloaded file. In some cases, Windows system32/users/{username}/AppData/ directory was used as an incorrect location for the download. This could potentially lead to users’ files being downloaded to an attacker controlled location, such as %APPDATA%\%HOMEPATH%\ or Windows system32/Users/{username}/AppData/ directory.

To correct this issue, download and update your Thunderbird or Firefox package.

CVE-2018-16996: Same Origin Policy bypass through data: and base URL Schemes The Mozilla project identified another vulnerability in Thunderbird that could allow an attacker to bypass the Same Origin Policy and inject content into a site. This vulnerability affects Thunderbird  61.0.3 and Thunderbird ESR  52.3. ! -- SECURITY BUG: Same Origin Policy bypass through data: and base URL Schemes -- >
As described in the official advisory, when sending emails, some users would enter specific data: URIs in the “To”, “Cc”, and “Bcc” fields. If a user enters data: URIs into these fields, Thunderbird parses the data: URIs and tries to load them. If an attacker can control these data: URIs, then same-origin

Thunderbird FAQs

Q: Why did Thunderbird update to fix the vulnerability?
A: Mozilla released Thunderbird 52.3 and Thunderbird 61.0.3 to address this issue because of the potential for a crash or security breach which could lead to sensitive files being downloaded by malicious actors.

Thunderbird

Users Are Most Affected
Thunderbird Users are most affected by this vulnerability as an attacker can control the data: URIs in the “To”, “Cc”, and “Bcc” fields. This could result in messages being sent from an attacker controlled location, such as %APPDATA%\%HOMEPATH%\ or Windows system32/Users/{username}/AppData/ directory. For Thunderbird users this means that their files are downloaded to an attacker controlled location.

Vulnerability: Same Origin Policy bypass through data: and base URL Schemes

An attacker can take advantage of this vulnerability by abusing the "data: URIs" in the "To", "Cc", and "Bcc" fields. This could allow an attacker to bypass the browser's Same Origin Policy and inject content into a site.
The vulnerability can be mitigated by updating your system to the latest version.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 15:54:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-20/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1765049
• https://www.mozilla.org/security/advisories/mfsa2022-22/
• https://www.mozilla.org/security/advisories/mfsa2022-21/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31739