English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.10.2021.0506
Category:Mageia Linux Local Security Checks
Title:Mageia: Security Advisory (MGASA-2021-0506)
Summary:The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2021-0506 advisory.
Description:Summary:
The remote host is missing an update for the 'thunderbird, thunderbird-l10n' package(s) announced via the MGASA-2021-0506 advisory.

Vulnerability Insight:
Updated thunderbird packages fix security vulnerabilities:

The iframe sandbox rules were not correctly applied to XSLT stylesheets,
allowing an iframe to bypass restrictions such as executing scripts or
navigating the top-level frame (CVE-2021-38503).

When interacting with an HTML input element's file picker dialog with
webkitdirectory set, a use-after-free could have resulted, leading to memory
corruption and a potentially exploitable crash (CVE-2021-38504).

Through a series of navigations, Thunderbird could have entered fullscreen
mode without notification or warning to the user. This could lead to spoofing
attacks on the browser UI including phishing (CVE-2021-38506).

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection
to be transparently upgraded to TLS while retaining the visual properties of
an HTTP connection, including being same-origin with unencrypted connections
on port 80. However, if a second encrypted port on the same IP address (e.g.
port 8443) did not opt-in to opportunistic encryption, a network attacker
could forward a connection from the browser to port 443 to port 8443, causing
the browser to treat the content of port 8443 as same-origin with HTTP. This
was resolved by disabling the Opportunistic Encryption feature, which had low
usage (CVE-2021-38507).

A use-after-free could have occurred when an HTTP2 session object was released
on a different thread, leading to memory corruption and a potentially
exploitable crash (CVE-2021-43535).

By displaying a form validity message in the correct location at the same time
as a permission prompt (such as for geolocation), the validity message could
have obscured the prompt, resulting in the user potentially being tricked into
granting the permission (CVE-2021-38508).

Due to an unusual sequence of attacker-controlled events, a Javascript alert()
dialog with arbitrary (although unstyled) contents could be displayed over top
an uncontrolled webpage of the attacker's choosing (CVE-2021-38509).

Mozilla developers and community members Christian Holler, Valentin Gosu, and
Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some
of these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(CVE-2021-43534).

Affected Software/OS:
'thunderbird, thunderbird-l10n' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2021-38503
Debian Security Information: DSA-5026 (Google Search)
https://www.debian.org/security/2021/dsa-5026
Debian Security Information: DSA-5034 (Google Search)
https://www.debian.org/security/2022/dsa-5034
https://security.gentoo.org/glsa/202202-03
https://security.gentoo.org/glsa/202208-14
https://bugzilla.mozilla.org/show_bug.cgi?id=1729517
https://www.mozilla.org/security/advisories/mfsa2021-48/
https://www.mozilla.org/security/advisories/mfsa2021-49/
https://www.mozilla.org/security/advisories/mfsa2021-50/
https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-38504
https://bugzilla.mozilla.org/show_bug.cgi?id=1730156
Common Vulnerability Exposure (CVE) ID: CVE-2021-38506
https://bugzilla.mozilla.org/show_bug.cgi?id=1730750
Common Vulnerability Exposure (CVE) ID: CVE-2021-38507
https://bugzilla.mozilla.org/show_bug.cgi?id=1730935
Common Vulnerability Exposure (CVE) ID: CVE-2021-38508
https://bugzilla.mozilla.org/show_bug.cgi?id=1366818
Common Vulnerability Exposure (CVE) ID: CVE-2021-38509
https://bugzilla.mozilla.org/show_bug.cgi?id=1718571
Common Vulnerability Exposure (CVE) ID: CVE-2021-43534
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1606864%2C1712671%2C1730048%2C1735152
Common Vulnerability Exposure (CVE) ID: CVE-2021-43535
https://bugzilla.mozilla.org/show_bug.cgi?id=1667102
https://www.mozilla.org/security/advisories/mfsa2021-43/
CopyrightCopyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.