Mozilla Foundation Security Advisory 2019-20
Security vulnerabilities fixed in Thunderbird 60.7.2
- June 20, 2019
- Fixed in
- Thunderbird 60.7.2
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2019-11707: Type confusion in Array.pop
- Samuel Groß of Google Project Zero, Coinbase Security
Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
#CVE-2019-11708: sandbox escape using Prompt:Open
- Coinbase Security
Insufficient vetting of parameters passed with the
Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.