VDB

GCVE-110-MAGEIA-2017-477

GCVE-110-MAGEIA-2017-477
Advisory Published
Vulnetix · Advisory published December 31, 2017
Multiple vulnerabilies have been fixed in thunderbird. * JavaScript Execution via RSS in mailbox:// origin (CVE-2017-7846). * Local path string can be leaked from RSS feed (CVE-2017-7847). * RSS Feed vulnerable to new line Injection (CVE-2017-7848). * Mailsploit From address with encoded null character is cut off in message header display (CVE-2017-7829). Multiple vulnerabilies have been fixed in the bundled enigmail package. * An issue was discovered that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list (CVE-2017-17843). * A remote attacker can obtain cleartext content by sending an encrypted data block to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text (CVE-2017-17844). * An issue was discovered where Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp) (CVE-2017-17845). * An issue was discovered where regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings (CVE-2017-17846). * An issue was discovered that signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message (CVE-2017-17847). * In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed (CVE-2017-17848)

Affected Products

VendorProductVersionsPlatforms
Mageiathunderbird0 (affected), 52.5.2-1.mga5 (unaffected)
Mageiathunderbird-l10n52.5.2-1.mga6 (unaffected), 0 (affected)
Mageiathunderbird0 (affected), 52.5.2-1.mga6 (unaffected)
Mageiathunderbird-l10n0 (affected), 52.5.2-1.mga5 (unaffected)

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›