Lookup for vulnerable packages by Package URL.
| Purl | pkg:mozilla/Thunderbird@23.0.0 |
|---|
| Type | mozilla |
|---|
| Namespace | |
|---|
| Name | Thunderbird |
|---|
| Version | 23.0.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 24.0.0 |
|---|
| Latest_non_vulnerable_version | 150.0.0 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-dbre-65bp-xbf1 |
| vulnerability_id |
VCID-dbre-65bp-xbf1 |
| summary |
Security researcher Fabián Cuchietti discovered that
it was possible to bypass the restriction on JavaScript execution in mail by
embedding an <iframe> with a data: URL within a message. If the victim
replied or forwarded the mail after receiving it, quoting it "in-line"
using Thunderbird's HTML mail editor, it would run the attached script. The
running script would be restricted to the mail composition window where it could
observe and potentially modify the content of the mail before it was sent.
Scripts were not executed if the recipient merely viewed the mail, only if it
was edited as HTML. Turning off HTML composition prevented the vulnerability and
forwarding the mail "as attachment" prevented the forwarding
variant.Ateeq ur Rehman Khan of Vulnerability Labs reported
additional variants of this attack involving the use of the <object> tag
and which could be used to attach object data types such as images, audio, or
video.This affected the Thunderbird 17 branch. It was fixed in all
versions based on Gecko 23 or later. Thunderbird 24 and later are not affected
by this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2013-6674 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97711 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.9768 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97687 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97688 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97693 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97696 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97698 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97701 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97702 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.47529 |
| scoring_system |
epss |
| scoring_elements |
0.97708 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2013-6674 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2013-6674
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dbre-65bp-xbf1 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@23.0.0 |
|---|