![]() ![]() #CVE-2022-29909: Bypassing permission prompt in nested browsing contexts Reporter Armin Ebert Impact high DescriptionÄocuments in deeply-nested cross-origin browsing contexts could obtain permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. When reusing existing popups Thunderbird would allow them to cover the fullscreen notification UI, which could enable browser spoofing attacks. ![]() #CVE-2022-29914: Fullscreen notification bypass using popups Reporter Irvan Kurniawan Impact high Description After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. #CVE-2022-1520: Incorrect security status shown after viewing an attached email Reporter Thunderbird team Impact low Description In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Mozilla Foundation Security Advisory 2022-18 Security Vulnerabilities fixed in Thunderbird 91.9 Announced Impact high Products Thunderbird Fixed in ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |