Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
The frame navigation validation mechanism did not consider the URL path component during verification of whether a given navigation is allowed (CWE-345: lack of verification of data authenticity/integrity). This means that security controls could be bypassed through a specially crafted request path, leading to unauthorized transitions within the embedded frame. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction, making it easy to exploit in practice.
An attacker can bypass frame navigation control mechanisms, potentially gaining unauthorized access to resources, modifying content, or compromising the confidentiality, integrity, and availability of data processed by the application.
Update to Firefox 141 or Firefox ESR 140.1 and Thunderbird 141 or Thunderbird 140.1. Patches are available through Mozilla's automatic update mechanism and on the official product websites referenced.
Mozilla Firefox versions prior to 141 and Firefox ESR versions prior to 140.1; Mozilla Thunderbird versions prior to 141 and Thunderbird versions prior to 140.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 140.1.0< 141.0Mozilla Thunderbird
APPMozilla< 140.1.0< 141.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...