SB2018110103 - Multiple vulnerabilities in Mozilla Thunderbird

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018110103

SB2018110103 - Multiple vulnerabilities in Mozilla Thunderbird

Published: November 1, 2018

Security Bulletin ID SB2018110103
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-origin policy bypass (CVE-ID: CVE-2018-12391)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to audio data can be accessed across origins in violation of security policies during HTTP Live Stream playback on Firefox for Android. A remote attacker can trick the victim into visiting a specially crafted website, bypass cross-origin policies and conduct further attacks.

2) Poor event handling (CVE-ID: CVE-2018-12392)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to poor event handling when manipulating user events in nested loops while opening a document through script. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

3) Integer overflow (CVE-ID: CVE-2018-12393)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow during the conversion of scripts to an internal UTF-16 representation. A remote attacker can trick the victim into visiting a specially crafted website, trigger out-of-bounds write and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

4) Memory corruption (CVE-ID: CVE-2018-12389)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

5) Memory corruption (CVE-ID: CVE-2018-12390)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References