ByteOS Network

CVE Vulnerability Details :

CVE-2025-3932

PUBLISHED

More Info Official Page

Assigner-mozilla

Assigner Org ID-f16b083a-5664-49f3-a51e-8d479e5ed7fe

Published At-14 May, 2025 | 16:56

Updated At-15 May, 2025 | 15:53

▼CVE Numbering Authority (CNA)

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

Affected Products

Vendor

Mozilla Corporation

Product

Thunderbird

Versions

Affected

From unspecified before 128.10.1 (custom)

Vendor

Mozilla Corporation

Product

Thunderbird

Versions

Affected

From unspecified before 138.0.1 (custom)

Problem Types

Type	CWE ID	Description
text	N/A	Tracking Links in Attachments Bypassed Remote Content Blocking

Credits

Dario Weißer

References

Hyperlink	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1960412	N/A
https://www.mozilla.org/security/advisories/mfsa2025-34/	N/A
https://www.mozilla.org/security/advisories/mfsa2025-35/	N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-288	CWE-288 Authentication Bypass Using an Alternate Path or Channel

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products

Affected

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References