Search for vulnerabilities
Vulnerability details: VCID-f1fj-wjnf-rfch
Vulnerability ID VCID-f1fj-wjnf-rfch
Aliases CVE-2025-3932
Summary It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-288 Authentication Bypass Using an Alternate Path or Channel
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
epss 0.00034 https://api.first.org/data/v1/epss?cve=CVE-2025-3932
cvssv3.1 6.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
ssvc Track https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-34/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-34/
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-35/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-35/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json
https://api.first.org/data/v1/epss?cve=CVE-2025-3932
https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3932
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/
2366297 https://bugzilla.redhat.com/show_bug.cgi?id=2366297
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2025-3932 https://nvd.nist.gov/vuln/detail/CVE-2025-3932
mfsa2025-34 https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
mfsa2025-35 https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
RHSA-2025:8196 https://access.redhat.com/errata/RHSA-2025:8196
RHSA-2025:8203 https://access.redhat.com/errata/RHSA-2025:8203
RHSA-2025:8324 https://access.redhat.com/errata/RHSA-2025:8324
RHSA-2025:8325 https://access.redhat.com/errata/RHSA-2025:8325
RHSA-2025:8326 https://access.redhat.com/errata/RHSA-2025:8326
RHSA-2025:8391 https://access.redhat.com/errata/RHSA-2025:8391
RHSA-2025:8507 https://access.redhat.com/errata/RHSA-2025:8507
RHSA-2025:8594 https://access.redhat.com/errata/RHSA-2025:8594
RHSA-2025:8756 https://access.redhat.com/errata/RHSA-2025:8756
RHSA-2025:8784 https://access.redhat.com/errata/RHSA-2025:8784
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3932.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-34/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-34/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-35/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:40:19Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-35/
Exploit Prediction Scoring System (EPSS)
Percentile 0.02538
EPSS Score 0.00017
Published At May 15, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-14T21:39:26.669823+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2025/mfsa2025-34.yml 36.0.0