Mozilla Foundation Security Advisory 2023-27

Security Vulnerabilities fixed in Thunderbird 115.0.1

Announced
July 20, 2023
Impact
high
Products
Thunderbird
Fixed in
  • Thunderbird 115.0.1

#CVE-2023-3600: Use-after-free in workers

Reporter
Andrew McCreight
Impact
high
Description

During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash.

References

#CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character

Reporter
이준성 (Junsung Lee)
Impact
moderate
Description

Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension.

References