Main Vulnerability Database SB2025070228

SB2025070228 - Red Hat Enterprise Linux 10 update for thunderbird

Published: July 2, 2025

Security Bulletin ID SB2025070228

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2025-5986)

The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling mailbox:/// links. A remote attacker can create a specially crafted email mailbox:/// links and trigger unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. Additionally, this behavior can be use to leak Windows credentials via SMB links when the email is viewed in HTML mode.

Note, viewing the email in HTML mode is enough to load external content.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2025:10195