Mozilla Foundation Security Advisory 2022-54

Security Vulnerabilities fixed in Thunderbird 102.6.1

Announced

December 20, 2022

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 102.6.1

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions

Reporter: Matthias Zoellner
Impact: moderate

Description

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.
Note: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1

References

Bug 1746139

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Privacy Promise

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Product Promise

Firefox Relay

MDN Plus

Mozilla Manifesto

Mozilla Foundation

Get involved

Leadership

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Common Voice

Mozilla Innovation Projects

Mozilla Foundation Security Advisory 2022-54

Security Vulnerabilities fixed in Thunderbird 102.6.1

#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions

Description

References