Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:mozilla/Thunderbird@134.0.0
purl pkg:mozilla/Thunderbird@134.0.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-6szy-r2cd-9kfw matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal ### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html CVE-2024-50336
GHSA-xvg8-m4x3-w6xr

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:16:52.949200+00:00 Mozilla Importer Fixing VCID-6szy-r2cd-9kfw https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2025/mfsa2025-04.yml 38.0.0