Mozilla Foundation Security Advisory 2022-54

Security Vulnerabilities fixed in Thunderbird 102.6.1

Announced

December 20, 2022

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 102.6.1

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions

Reporter: Matthias Zoellner
Impact: moderate

Description

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.
Note: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1

References

Bug 1746139

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising