VulnerableCode Package Details - pkg:alpm/archlinux/thunderbird@91.1.2-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1rj3-tt63-4yc1 Aliases: CVE-2021-38497	Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-2k99-39yt-gkbe Aliases: CVE-2021-38496	During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-6fkp-5fzu-fydp Aliases: CVE-2021-38500	Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-9y48-sjn7-rqeu Aliases: CVE-2021-38501	Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-hhu1-cgcx-nfev Aliases: CVE-2021-38498	During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-vtjf-sufh-p3h4 Aliases: CVE-2021-32810 GHSA-pqqp-xmhj-wgcw	crossbeam-deque Data Race before v0.7.4 and v0.8.1 ### Impact In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. ### Patches This has been fixed in crossbeam-deque 0.8.1 and 0.7.4. ### Credits This issue was reported and fixed by Maor Kleinberger. ### License This advisory is in the public domain.	91.2.0-1 Affected by 0 other vulnerabilities.
VCID-zwz9-pt55-t3c6 Aliases: CVE-2021-38502	Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too.	91.2.0-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1rj3-tt63-4yc1
Aliases:
CVE-2021-38497

Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks.