VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-d6uv-yc2e-pbf7

Essentials
Severities (27)
References (22)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-d6uv-yc2e-pbf7
Aliases	CVE-2025-3932
Summary	It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-288

Authentication Bypass Using an Alternate Path or Channel

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-3932
cvssv3.1	6.5	https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
ssvc	Track	https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-34/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-34/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-35/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-35/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-3932
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3932
2366297		https://bugzilla.redhat.com/show_bug.cgi?id=2366297
cpe:2.3:a:mozilla:thunderbird::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird::::::::
CVE-2025-3932		https://nvd.nist.gov/vuln/detail/CVE-2025-3932
mfsa2025-34		https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
mfsa2025-34		https://www.mozilla.org/security/advisories/mfsa2025-34/
mfsa2025-35		https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
mfsa2025-35		https://www.mozilla.org/security/advisories/mfsa2025-35/
RHSA-2025:8196		https://access.redhat.com/errata/RHSA-2025:8196
RHSA-2025:8203		https://access.redhat.com/errata/RHSA-2025:8203
RHSA-2025:8324		https://access.redhat.com/errata/RHSA-2025:8324
RHSA-2025:8325		https://access.redhat.com/errata/RHSA-2025:8325
RHSA-2025:8326		https://access.redhat.com/errata/RHSA-2025:8326
RHSA-2025:8391		https://access.redhat.com/errata/RHSA-2025:8391
RHSA-2025:8507		https://access.redhat.com/errata/RHSA-2025:8507
RHSA-2025:8594		https://access.redhat.com/errata/RHSA-2025:8594
RHSA-2025:8756		https://access.redhat.com/errata/RHSA-2025:8756
RHSA-2025:8784		https://access.redhat.com/errata/RHSA-2025:8784
show_bug.cgi?id=1960412		https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
USN-7663-1		https://usn.ubuntu.com/7663-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1960412

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1960412

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-34/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-34/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-35/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-35/

Exploit Prediction Scoring System (EPSS)

Percentile	0.12028
EPSS Score	0.00042
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:09:24.709757+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2025/mfsa2025-35.yml	37.0.0