Vulnerability Details
Basic Information
| Title | (RHSA-2025:4460) Important: thunderbird security update |
|---|---|
| Type | redhat |
| Published | 2025-05-05T11:04:12 |
| Last Seen | 2025-05-05T16:58:17 |
| CVSS Score | 9.1 (CRITICAL) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | NONE |
CVE Information
| CVE IDs | CVE-2025-2817, CVE-2025-4083, CVE-2025-4087, CVE-2025-4091, CVE-2025-4093 |
|---|---|
| CWE | CWE-120 |
| Bulletin Family | unix |
Description
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* firefox: thunderbird: Privilege escalation in Firefox Updater (CVE-2025-2817)
* firefox: thunderbird: Unsafe attribute access during XPath parsing (CVE-2025-4087)
* firefox: thunderbird: Process isolation bypass using “javascript:” URI links in cross-origin frames (CVE-2025-4083)
* firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 (CVE-2025-4091)
* firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 (CVE-2025-4093)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Impact Assessment
| Base Score | 9.1 |
|---|---|
| Severity | CRITICAL |