VulnerableCode Package Details - pkg:deb/debian/thunderbird@1:128.10.0esr-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-6kgm-9pss-vkfv Aliases: CVE-2025-3877	A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content.	1:128.10.1esr-1~deb12u1 Affected by 0 other vulnerabilities. 1:128.10.1esr-1 Affected by 0 other vulnerabilities.
VCID-6xsv-8x8g-ukez Aliases: CVE-2025-3523	When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.	1:137.0-1 Affected by 0 other vulnerabilities.
VCID-f1fj-wjnf-rfch Aliases: CVE-2025-3932	It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.	1:128.10.1esr-1 Affected by 0 other vulnerabilities.
VCID-kvsf-hz19-wfcc Aliases: CVE-2025-3522	Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues.	1:137.0-1 Affected by 0 other vulnerabilities.
VCID-uene-df28-t3bf Aliases: CVE-2025-2830	By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well.	1:128.10.1esr-1 Affected by 0 other vulnerabilities. 1:137.0-1 Affected by 0 other vulnerabilities. 1:138.0-1 Affected by 0 other vulnerabilities.
VCID-zfe6-zg3h-wbhy Aliases: CVE-2025-3875	Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address.	1:128.10.1esr-1~deb12u1 Affected by 0 other vulnerabilities. 1:128.10.1esr-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6kgm-9pss-vkfv
Aliases:
CVE-2025-3877

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content.

1:128.10.1esr-1~deb12u1
Affected by 0 other vulnerabilities.

1:128.10.1esr-1
Affected by 0 other vulnerabilities.

VCID-6xsv-8x8g-ukez
Aliases:
CVE-2025-3523

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

1:137.0-1
Affected by 0 other vulnerabilities.

VCID-f1fj-wjnf-rfch
Aliases:
CVE-2025-3932

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.

1:128.10.1esr-1
Affected by 0 other vulnerabilities.

VCID-kvsf-hz19-wfcc
Aliases:
CVE-2025-3522

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues.

1:137.0-1
Affected by 0 other vulnerabilities.

VCID-uene-df28-t3bf
Aliases:
CVE-2025-2830

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well.

1:128.10.1esr-1
Affected by 0 other vulnerabilities.

1:137.0-1
Affected by 0 other vulnerabilities.

1:138.0-1
Affected by 0 other vulnerabilities.

VCID-zfe6-zg3h-wbhy
Aliases:
CVE-2025-3875

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address.

1:128.10.1esr-1~deb12u1
Affected by 0 other vulnerabilities.

1:128.10.1esr-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-05-20T10:59:50.895804+00:00	Debian Importer	Affected by	VCID-f1fj-wjnf-rfch	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-20T03:48:47.055019+00:00	Debian Importer	Affected by	VCID-6kgm-9pss-vkfv	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-18T19:23:24.433728+00:00	Debian Importer	Affected by	VCID-zfe6-zg3h-wbhy	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-03T15:12:22.872018+00:00	Debian Importer	Fixing	VCID-12vf-f2r4-bqge	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-03T13:12:57.789782+00:00	Debian Importer	Affected by	VCID-kvsf-hz19-wfcc	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-03T10:57:39.829256+00:00	Debian Importer	Fixing	VCID-92ju-8t11-sqf7	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-03T10:18:22.840510+00:00	Debian Importer	Affected by	VCID-6xsv-8x8g-ukez	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-02T21:26:32.041361+00:00	Debian Importer	Fixing	VCID-8h5s-cdt9-guh9	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-02T19:48:51.913954+00:00	Debian Importer	Fixing	VCID-qdcz-15x5-6qfp	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-05-02T02:59:28.157581+00:00	Debian Importer	Affected by	VCID-uene-df28-t3bf	https://security-tracker.debian.org/tracker/data/json	36.0.0