Search for vulnerabilities
Vulnerability details: VCID-8mb9-p57n-aaak
Vulnerability ID VCID-8mb9-p57n-aaak
Aliases CVE-2022-45414
Summary If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.
Status Published
Exploitability 0.5
Weighted Severity 7.3
Risk 3.6
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-668 Exposure of Resource to Wrong Sphere
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45414.json
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00161 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00162 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2022-45414
cvssv3.1 8.1 https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
ssvc Track https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
cvssv3.1 6.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-45414
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2022-45414
generic_textual none https://www.mozilla.org/en-US/security/advisories/mfsa2022-50
cvssv3.1 8.1 https://www.mozilla.org/security/advisories/mfsa2022-50/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2022-50/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45414.json
https://api.first.org/data/v1/epss?cve=CVE-2022-45414
https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46878
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46881
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46882
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://www.mozilla.org/security/advisories/mfsa2022-50/
2149868 https://bugzilla.redhat.com/show_bug.cgi?id=2149868
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2022-45414 https://nvd.nist.gov/vuln/detail/CVE-2022-45414
mfsa2022-50 https://www.mozilla.org/en-US/security/advisories/mfsa2022-50
RHSA-2022:9074 https://access.redhat.com/errata/RHSA-2022:9074
RHSA-2022:9075 https://access.redhat.com/errata/RHSA-2022:9075
RHSA-2022:9076 https://access.redhat.com/errata/RHSA-2022:9076
RHSA-2022:9077 https://access.redhat.com/errata/RHSA-2022:9077
RHSA-2022:9078 https://access.redhat.com/errata/RHSA-2022:9078
RHSA-2022:9079 https://access.redhat.com/errata/RHSA-2022:9079
RHSA-2022:9080 https://access.redhat.com/errata/RHSA-2022:9080
RHSA-2022:9081 https://access.redhat.com/errata/RHSA-2022:9081
USN-5824-1 https://usn.ubuntu.com/5824-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45414.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-15T14:54:57Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1788096
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-45414
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-45414
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://www.mozilla.org/security/advisories/mfsa2022-50/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-15T14:54:57Z/ Found at https://www.mozilla.org/security/advisories/mfsa2022-50/
Exploit Prediction Scoring System (EPSS)
Percentile 0.53395
EPSS Score 0.00161
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.