AVG-2710 log

Package thunderbird
Status Fixed
Severity High
Type multiple issues
Affected 91.8.1-1
Fixed 91.9-1
Current 102.5.0-1 [extra]
Ticket None
Created Sat May 14 19:54:17 2022
Issue Severity Remote Type Description
CVE-2022-29917 High Yes Arbitrary code execution
Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox...
CVE-2022-29916 High Yes Information disclosure
Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the...
CVE-2022-29914 High Yes Content spoofing
When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.
CVE-2022-29913 Medium Yes Insufficient validation
The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process.
CVE-2022-29912 Medium Yes Insufficient validation
Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.
CVE-2022-29911 High Yes Arbitrary code execution
An improper implementation of the new iframe sandbox keyword allow- top-navigation-by-user-activation could lead to script execution without allow-scripts...
CVE-2022-29909 High Yes Privilege escalation
Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and...
CVE-2022-1520 Low No Insufficient validation
When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect...
References
https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/
Notes
"In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts."