AVG-2518 log

Package thunderbird
Status Fixed
Severity High
Type multiple issues
Affected 91.2.1-1
Fixed 91.3.0-1
Current 128.4.4-1 [extra-testing]
128.4.3-1 [extra]
Ticket None
Created Wed Nov 3 16:39:52 2021
Issue Severity Remote Type Description
CVE-2021-38509 Medium Yes Content spoofing 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. Due to an unusual sequence of attacker-controlled events,...
CVE-2021-38508 Medium Yes Content spoofing 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. By displaying a form validity message in the correct...
CVE-2021-38507 High Yes Same-origin policy bypass 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The Opportunistic Encryption feature of HTTP2 (RFC 8164)...
CVE-2021-38506 High Yes Content spoofing 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. Through a series of navigations, Firefox and Thunderbird...
CVE-2021-38504 High Yes Arbitrary code execution 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. When interacting with an HTML input element's file picker...
CVE-2021-38503 High Yes Sandbox escape 
A security issue has been found in Firefox before version 94 and Thunderbird before version 91.3. The iframe sandbox rules were not correctly applied to...
Date Advisory Package Type
05 Nov 2021 ASA-202111-3 thunderbird multiple issues
Notes 
In general, these flaws cannot be exploited through email because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

There are two further security issues with pending CVE assignments in the advisory (MOZ-2021-0007, MOZ-2021-0008).