Bugzilla – Bug 863095
VUL-0: CVE-2013-6674: Thunderbird, Seamonkey: Script execution in HTML mail replies (mfsa2014-14)
Last modified: 2014-02-10 17:04:49 UTC
http://www.mozilla.org/security/announce/2014/mfsa2014-14.html Products: Thunderbird, Seamonkey Fixed in: Thunderbird 23 SeaMonkey 2.20 Description Security researcher Fabián Cuchietti discovered that it was possible to bypass the restriction on JavaScript execution in mail by embedding an <iframe> with a data: URL within a message. If the victim replied or forwarded the mail after receiving it, quoting it "in-line" using Thunderbird's HTML mail editor, it would run the attached script. The running script would be restricted to the mail composition window where it could observe and potentially modify the content of the mail before it was sent. Scripts were not executed if the recipient merely viewed the mail, only if it was edited as HTML. Turning off HTML composition prevented the vulnerability and forwarding the mail "as attachment" prevented the forwarding variant. CVE-2013-6674 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6674 https://bugzilla.redhat.com/show_bug.cgi?id=1063120
Closing as fixed. openSUSE:12.3: thunderbird-24.3.0 openSUSE:13.1: thunderbird-24.3.0 MozillaThunderbird is not part of SLE.