Search for vulnerabilities
Vulnerability details: VCID-ft6s-bv7f-5kbt
Vulnerability ID VCID-ft6s-bv7f-5kbt
Aliases CVE-2024-1936
Summary The encrypted subject of an email message could be incorrectly and permanently assigned to an arbitrary other email message in Thunderbird's local cache. Consequently, when replying to the contaminated email message, the user might accidentally leak the confidential subject to a third-party. While this update fixes the bug and avoids future message contamination, it does not automatically repair existing contaminations. Users are advised to use the repair folder functionality, which is available from the context menu of email folders, which will erase incorrect subject assignments.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-311 Missing Encryption of Sensitive Data
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1936.json
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2024-1936
cvssv3.1 7.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
ssvc Track* https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
ssvc Track* https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2024-11
cvssv3.1 7.5 https://www.mozilla.org/security/advisories/mfsa2024-11/
ssvc Track* https://www.mozilla.org/security/advisories/mfsa2024-11/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1936.json
https://api.first.org/data/v1/epss?cve=CVE-2024-1936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2616
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2268171 https://bugzilla.redhat.com/show_bug.cgi?id=2268171
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
CVE-2024-1936 https://nvd.nist.gov/vuln/detail/CVE-2024-1936
mfsa2024-11 https://www.mozilla.org/en-US/security/advisories/mfsa2024-11
mfsa2024-11 https://www.mozilla.org/security/advisories/mfsa2024-11/
msg00022.html https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
RHSA-2024:1492 https://access.redhat.com/errata/RHSA-2024:1492
RHSA-2024:1493 https://access.redhat.com/errata/RHSA-2024:1493
RHSA-2024:1494 https://access.redhat.com/errata/RHSA-2024:1494
RHSA-2024:1495 https://access.redhat.com/errata/RHSA-2024:1495
RHSA-2024:1496 https://access.redhat.com/errata/RHSA-2024:1496
RHSA-2024:1497 https://access.redhat.com/errata/RHSA-2024:1497
RHSA-2024:1498 https://access.redhat.com/errata/RHSA-2024:1498
RHSA-2024:1499 https://access.redhat.com/errata/RHSA-2024:1499
RHSA-2024:1500 https://access.redhat.com/errata/RHSA-2024:1500
show_bug.cgi?id=1860977 https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
USN-6669-1 https://usn.ubuntu.com/6669-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1936.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-08T19:16:17Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1860977
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-08T19:16:17Z/ Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.mozilla.org/security/advisories/mfsa2024-11/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-08T19:16:17Z/ Found at https://www.mozilla.org/security/advisories/mfsa2024-11/
Exploit Prediction Scoring System (EPSS)
Percentile 0.50498
EPSS Score 0.00273
Published At Aug. 4, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:09:06.354672+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2024/mfsa2024-11.yml 37.0.0