Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Mozilla Thunderbird does not adequately restrict HTML elements in email message content
Informations
Name VU#863369 First vendor Publication 2014-01-27
Vendor VU-CERT Last vendor Modification 2014-01-28
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#863369

Mozilla Thunderbird does not adequately restrict HTML elements in email message content

Original Release date: 27 Jan 2014 | Last revised: 28 Jan 2014

Overview

Mozilla Thunderbird does not adequately restrict HTML elements in email content, which could allow an attacker to execute arbitrary script when a specially-crafted email message is forwarded or replied to.

Description

Vulnerability Lab has reported a vulnerability in the way Mozilla Thunderbird handles HTML elements in email content. Mozilla Thunderbird blocks the creation of certain HTML elements, such as script, when displaying email messages. Traditionally, a script element is created through the use of a <script> HTML tag. HTML elements, including script, can also be created through the use of an <object> tag that specifies a Data URI scheme (RFC 2397). The Data URI can specify a text/html mime type and encode the script in base64. In such cases, Thunderbird will execute the script contained in the email message when it is forwarded or replied to and the outgoing message is in HTML format. Simply displaying the email message does not appear to cause the script to execute.

See Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability for more details.

Testing indicates that Thunderbird 17.0.{6,7,8} are vulnerable. Earlier versions may also be vulnerable.

Impact

By creating a specially-crafted email message, an attacker can cause arbitrary script to execute in Thunderbird when that message is forwarded or replied to.

Solution

Apply an update

Limited testing has shown that Thunderbird versions 24.0 and later are not affected by this vulnerability.

Compose email in plain text format

Disabling the setting to "Compose messages in HTML format" for each email account will help protect against attacks. This will cause outgoing messages to be constructed in plain text, which does not contain HTML elements.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MozillaAffected-27 Jan 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.0AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal3.9E:POC/RL:OF/RC:C
Environmental2.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.vulnerability-lab.com/get_content.php?id=953
  • https://developer.mozilla.org/en-US/docs/data_URIs
  • http://tools.ietf.org/html/rfc2397

Credit

This vulnerability was reported by Vulnerability Laboratory, who in turn credits Ateeq ur Rehman Khan.

This document was written by Art Manion and Will Dormann.

Other Information

  • CVE IDs:CVE-2013-6674
  • Date Public:27 Jan 2014
  • Date First Published:27 Jan 2014
  • Date Last Updated:28 Jan 2014
  • Document Revision:25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/863369

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22122
 
Oval ID: oval:org.mitre.oval:def:22122
Title: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data
Description: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018.
Family: windows Class: vulnerability
Reference(s): CVE-2013-6674
Version: 13
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Mozilla Firefox
Mozilla SeaMonkey
Mozilla Thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23547
 
Oval ID: oval:org.mitre.oval:def:23547
Title: DEPRECATED: ELSA-2013:1823: thunderbird security update (Important)
Description: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018.
Family: unix Class: patch
Reference(s): ELSA-2013:1823-04
CVE-2013-0772
CVE-2013-5609
CVE-2013-5612
CVE-2013-5613
CVE-2013-5614
CVE-2013-5616
CVE-2013-5618
CVE-2013-6671
CVE-2013-6674
Version: 42
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23580
 
Oval ID: oval:org.mitre.oval:def:23580
Title: ELSA-2013:1823: thunderbird security update (Important)
Description: Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a related issue to CVE-2014-2018.
Family: unix Class: patch
Reference(s): ELSA-2013:1823-04
CVE-2013-0772
CVE-2013-5609
CVE-2013-5612
CVE-2013-5613
CVE-2013-5614
CVE-2013-5616
CVE-2013-5618
CVE-2013-6671
CVE-2013-6674
Version: 41
Platform(s): Oracle Linux 6
Oracle Linux 5
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24272
 
Oval ID: oval:org.mitre.oval:def:24272
Title: USN-2119-1 -- thunderbird vulnerabilities
Description: Several security issues were fixed in Thunderbird.
Family: unix Class: patch
Reference(s): USN-2119-1
CVE-2014-1477
CVE-2014-1479
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487
CVE-2014-1490
CVE-2014-1491
CVE-2014-1481
CVE-2013-6674
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): thunderbird
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 197
Application 9
Application 11

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-02-06 IAVM : 2014-A-0021 - Multiple Vulnerabilities in Mozilla Products
Severity : Category I - VMSKEY : V0043921

Snort® IPS/IDS

Date Description
2019-10-08 Mozilla Thunderbird input filter bypass cross site scripting attempt
RuleID : 51405 - Revision : 1 - Type : SERVER-MAIL

Nessus® Vulnerability Scanner

Date Description
2014-02-20 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2119-1.nasl - Type : ACT_GATHER_INFO
2013-12-12 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2013-1823.nasl - Type : ACT_GATHER_INFO
2013-12-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2013-1823.nasl - Type : ACT_GATHER_INFO
2013-12-12 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1823.nasl - Type : ACT_GATHER_INFO
2013-09-19 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_24_0.nasl - Type : ACT_GATHER_INFO
2013-09-19 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_24.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_220.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2014-02-19 00:22:26
  • Multiple Updates
2014-02-18 13:24:41
  • Multiple Updates
2014-02-17 12:08:14
  • Multiple Updates
2014-01-29 00:18:15
  • Multiple Updates
2014-01-28 00:18:09
  • First insertion