Security Advisories for Thunderbird
Impact key
- Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
- High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
- Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
- Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)
# Fixed in Thunderbird 132.0.1
# Fixed in Thunderbird 132
# Fixed in Thunderbird 131.0.1
# Fixed in Thunderbird 131
# Fixed in Thunderbird 128.4.3
# Fixed in Thunderbird 128.4
# Fixed in Thunderbird 128.3.1
# Fixed in Thunderbird 128.3
# Fixed in Thunderbird 128.2
# Fixed in Thunderbird 128.1
# Fixed in Thunderbird 128
# Fixed in Thunderbird 115.16
# Fixed in Thunderbird 115.15
# Fixed in Thunderbird 115.14
# Fixed in Thunderbird 115.13
# Fixed in Thunderbird 115.12
# Fixed in Thunderbird 115.11
# Fixed in Thunderbird 115.10
# Fixed in Thunderbird 115.9
# Fixed in Thunderbird 115.8.1
# Fixed in Thunderbird 115.8
# Fixed in Thunderbird 115.7
# Fixed in Thunderbird 115.6
# Fixed in Thunderbird 115.5
# Fixed in Thunderbird 115.4.1
# Fixed in Thunderbird 115.3.1
# Fixed in Thunderbird 115.3
# Fixed in Thunderbird 115.2.2
# Fixed in Thunderbird 115.2
# Fixed in Thunderbird 115.1
# Fixed in Thunderbird 115.0.1
# Fixed in Thunderbird 102.15.1
# Fixed in Thunderbird 102.15
# Fixed in Thunderbird 102.14
# Fixed in Thunderbird 102.13.1
# Fixed in Thunderbird 102.13
# Fixed in Thunderbird 102.12
# Fixed in Thunderbird 102.11
# Fixed in Thunderbird 102.10
# Fixed in Thunderbird 102.9.1
# Fixed in Thunderbird 102.9
# Fixed in Thunderbird 102.8
# Fixed in Thunderbird 102.7.1
# Fixed in Thunderbird 102.7
# Fixed in Thunderbird 102.6.1
# Fixed in Thunderbird 102.6
# Fixed in Thunderbird 102.5.1
# Fixed in Thunderbird 102.5
# Fixed in Thunderbird 102.4
# Fixed in Thunderbird 102.3.1
# Fixed in Thunderbird 102.3
# Fixed in Thunderbird 102.2.1
# Fixed in Thunderbird 102.2
# Fixed in Thunderbird 102.1
# Fixed in Thunderbird 102
# Fixed in Thunderbird 91.13.1
# Fixed in Thunderbird 91.13
# Fixed in Thunderbird 91.12
# Fixed in Thunderbird 91.11
# Fixed in Thunderbird 91.10
# Fixed in Thunderbird 91.9.1
# Fixed in Thunderbird 91.9
# Fixed in Thunderbird 91.8
# Fixed in Thunderbird 91.7
# Fixed in Thunderbird 91.6.2
# Fixed in Thunderbird 91.6.1
# Fixed in Thunderbird 91.6
# Fixed in Thunderbird 91.5
# Fixed in Thunderbird 91.4.1
# Fixed in Thunderbird 91.4
# Fixed in Thunderbird 91.3
# Fixed in Thunderbird 91.2
# Fixed in Thunderbird 91.1
# Fixed in Thunderbird 91.0.1
# Fixed in Thunderbird 91
# Fixed in Thunderbird 78.14
# Fixed in Thunderbird 78.13
# Fixed in Thunderbird 78.12
# Fixed in Thunderbird 78.11
# Fixed in Thunderbird 78.10.2
# Fixed in Thunderbird 78.10.1
# Fixed in Thunderbird 78.10
# Fixed in Thunderbird 78.9.1
# Fixed in Thunderbird 78.9
# Fixed in Thunderbird 78.8.1
# Fixed in Thunderbird 78.8
# Fixed in Thunderbird 78.7
# Fixed in Thunderbird 78.6.1
# Fixed in Thunderbird 78.6
# Fixed in Thunderbird 78.5.1
# Fixed in Thunderbird 78.5
# Fixed in Thunderbird 78.4.2
- 2020-49 Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2
# Fixed in Thunderbird 78.4
# Fixed in Thunderbird 78.3
# Fixed in Thunderbird 78.2
# Fixed in Thunderbird 78.1
# Fixed in Thunderbird 78
# Fixed in Thunderbird 68.12
# Fixed in Thunderbird 68.11
# Fixed in Thunderbird 68.10
# Fixed in Thunderbird 68.9
# Fixed in Thunderbird 68.8
# Fixed in Thunderbird 68.7
# Fixed in Thunderbird 68.6
# Fixed in Thunderbird 68.5
# Fixed in Thunderbird 68.4.1
# Fixed in Thunderbird 68.3
# Fixed in Thunderbird 68.2
# Fixed in Thunderbird 68.1.1
# Fixed in Thunderbird 68.1
# Fixed in Thunderbird 68
# Fixed in Thunderbird 60.9
# Fixed in Thunderbird 60.8
# Fixed in Thunderbird 60.7.2
# Fixed in Thunderbird 60.7.1
# Fixed in Thunderbird 60.7
# Fixed in Thunderbird 60.6.1
# Fixed in Thunderbird 60.6
# Fixed in Thunderbird 60.5.1
# Fixed in Thunderbird 60.5
# Fixed in Thunderbird 60.4
# Fixed in Thunderbird 60.3
# Fixed in Thunderbird 60.2.1
# Fixed in Thunderbird 60
# Fixed in Thunderbird 52.9
# Fixed in Thunderbird 52.8
# Fixed in Thunderbird 52.7
# Fixed in Thunderbird 52.6
# Fixed in Thunderbird 52.5.2
# Fixed in Thunderbird 52.5
# Fixed in Thunderbird 52.4
# Fixed in Thunderbird 52.3
# Fixed in Thunderbird 52.2
# Fixed in Thunderbird 52.1
# Fixed in Thunderbird 52
# Fixed in Thunderbird 45.8
# Fixed in Thunderbird 45.7
# Fixed in Thunderbird 45.6
# Fixed in Thunderbird 45.5.1
# Fixed in Thunderbird 45.5
# Fixed in Thunderbird 45.4
# Fixed in Thunderbird 45.3
# Fixed in Thunderbird 45.2
# Fixed in Thunderbird 45.1
# Fixed in Thunderbird 45
- 2016-37 Font vulnerabilities in the Graphite 2 library
- 2016-36 Use-after-free during processing of DER encoded keys in NSS
- 2016-35 Buffer overflow during ASN.1 decoding in NSS
- 2016-34 Out-of-bounds read in HTML parser following a failed allocation
- 2016-27 Use-after-free during XML transformations
- 2016-24 Use-after-free in SetBody
- 2016-23 Use-after-free in HTML5 string parser
- 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
- 2016-19 Linux video memory DOS with Intel drivers
- 2016-18 CSP reports fail to strip location information for embedded iframe pages
- 2016-17 Local file overwriting and potential privilege escalation through CSP reports
- 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
# Fixed in Thunderbird 38.8
- 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
- 2016-36 Use-after-free during processing of DER encoded keys in NSS
# Fixed in Thunderbird 38.7
- 2016-37 Font vulnerabilities in the Graphite 2 library
- 2016-35 Buffer overflow during ASN.1 decoding in NSS
- 2016-34 Out-of-bounds read in HTML parser following a failed allocation
- 2016-31 Memory corruption with malicious NPAPI plugin
- 2016-27 Use-after-free during XML transformations
- 2016-24 Use-after-free in SetBody
- 2016-23 Use-after-free in HTML5 string parser
- 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing
- 2016-17 Local file overwriting and potential privilege escalation through CSP reports
- 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7)
# Fixed in Thunderbird 38.6
- 2016-14 Vulnerabilities in Graphite 2
- 2016-03 Buffer overflow in WebGL after out of memory allocation
- 2016-01 Miscellaneous memory safety hazards (rv:44.0 / rv:38.6)
- 2015-150 MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature
# Fixed in Thunderbird 38.5
- 2015-149 Cross-site reading attack through data and view-source URIs
- 2015-146 Integer overflow in MP4 playback in 64-bit versions
- 2015-145 Underflow through code inspection
- 2015-139 Integer overflow allocating extremely large textures
- 2015-134 Miscellaneous memory safety hazards (rv:43.0 / rv:38.5)
# Fixed in Thunderbird 38.4
- 2015-133 NSS and NSPR memory corruption issues
- 2015-132 Mixed content WebSocket policy bypass through workers
- 2015-131 Vulnerabilities found through code inspection
- 2015-128 Memory corruption in libjar through zip files
- 2015-127 CORS preflight is bypassed when non-standard Content-Type headers are received
- 2015-123 Buffer overflow during image interactions in canvas
- 2015-122 Trailing whitespace in IP address hostnames can bypass same-origin policy
- 2015-116 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4)
# Fixed in Thunderbird 38.3
- 2015-113 Memory safety errors in libGLES in the ANGLE graphics library
- 2015-112 Vulnerabilities found through code inspection
- 2015-111 Errors in the handling of CORS preflight request headers
- 2015-110 Dragging and dropping images exposes final URL after redirects
- 2015-106 Use-after-free while manipulating HTML media content
- 2015-105 Buffer overflow while decoding WebM video
- 2015-101 Buffer overflow in libvpx while parsing vp9 format video
- 2015-100 Arbitrary file manipulation by local user through Mozilla updater
- 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3)
# Fixed in Thunderbird 38.2
- 2015-90 Vulnerabilities found through code inspection
- 2015-88 Heap overflow in gdk-pixbuf when scaling bitmap images
- 2015-85 Out-of-bounds write with Updater and malicious MAR file
- 2015-84 Arbitrary file overwriting through Mozilla Maintenance Service with hard links
- 2015-79 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2)
# Fixed in Thunderbird 38.1
- 2015-71 NSS incorrectly permits skipping of ServerKeyExchange
- 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
- 2015-67 Key pinning is ignored when overridable errors are encountered
- 2015-66 Vulnerabilities found through code inspection
- 2015-63 Use-after-free in Content Policy due to microtask execution error
- 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
# Fixed in Thunderbird 38.0.1
- 2015-58 Mozilla Windows updater can be run outside of application directory
- 2015-57 Privilege escalation through IPC channel messages
- 2015-54 Buffer overflow when parsing compressed XML
- 2015-51 Use-after-free during text processing with vertical text enabled
- 2015-48 Buffer overflow with SVG content and CSS
- 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
- 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
# Fixed in Thunderbird 31.8
- 2015-71 NSS incorrectly permits skipping of ServerKeyExchange
- 2015-70 NSS accepts export-length DHE keys with regular DHE cipher suites
- 2015-66 Vulnerabilities found through code inspection
- 2015-59 Miscellaneous memory safety hazards (rv:39.0 / rv:31.8 / rv:38.1)
# Fixed in Thunderbird 31.7
- 2015-57 Privilege escalation through IPC channel messages
- 2015-54 Buffer overflow when parsing compressed XML
- 2015-51 Use-after-free during text processing with vertical text enabled
- 2015-48 Buffer overflow with SVG content and CSS
- 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer
- 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7)
# Fixed in Thunderbird 31.6
- 2015-40 Same-origin bypass through anchor navigation
- 2015-37 CORS requests should not follow 30x redirections after preflight
- 2015-33 resource:// documents can load privileged pages
- 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
- 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
# Fixed in Thunderbird 31.5
- 2015-24 Reading of local files through manipulation of form autocomplete
- 2015-19 Out-of-bounds read and write while rendering SVG content
- 2015-16 Use-after-free in IndexedDB
- 2015-12 Invoking Mozilla updater will load locally stored DLL files
- 2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5)
# Fixed in Thunderbird 31.4
- 2015-04 Cookie injection through Proxy Authenticate responses
- 2015-03 sendBeacon requests lack an Origin header
- 2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4)
# Fixed in Thunderbird 31.3
- 2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
- 2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
- 2014-88 Buffer overflow while parsing media content
- 2014-87 Use-after-free during HTML5 parsing
- 2014-85 XMLHttpRequest crashes with some input streams
- 2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
# Fixed in Thunderbird 31.2
- 2014-81 Inconsistent video sharing within iframe
- 2014-79 Use-after-free interacting with text directionality
- 2014-77 Out-of-bounds write with WebM video
- 2014-76 Web Audio memory corruption issues with custom waveforms
- 2014-75 Buffer overflow during CSS manipulation
- 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)
# Fixed in Thunderbird 31.1.2
# Fixed in Thunderbird 31.1
- 2014-72 Use-after-free setting text directionality
- 2014-70 Out-of-bounds read in Web Audio audio timeline
- 2014-69 Uninitialized memory use during GIF rendering
- 2014-68 Use-after-free during DOM interactions with SVG
- 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
# Fixed in Thunderbird 31
- 2014-66 IFRAME sandbox same-origin access through redirect
- 2014-65 Certificate parsing broken by non-standard character encoding
- 2014-64 Crash in Skia library when scaling high quality images
- 2014-63 Use-after-free while when manipulating certificates in the trusted cache
- 2014-62 Exploitable WebGL crash with Cesium JavaScript library
- 2014-61 Use-after-free with FireOnStateChange event
- 2014-59 Use-after-free in DirectWrite font handling
- 2014-58 Use-after-free in Web Audio due to incorrect control message ordering
- 2014-57 Buffer overflow during Web Audio buffering for playback
- 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
# Fixed in Thunderbird 24.8.1
# Fixed in Thunderbird 24.8
- 2014-72 Use-after-free setting text directionality
- 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
# Fixed in Thunderbird 24.7
- 2014-64 Crash in Skia library when scaling high quality images
- 2014-63 Use-after-free while when manipulating certificates in the trusted cache
- 2014-62 Exploitable WebGL crash with Cesium JavaScript library
- 2014-61 Use-after-free with FireOnStateChange event
- 2014-59 Use-after-free in DirectWrite font handling
- 2014-56 Miscellaneous memory safety hazards (rv:31.0 / rv:24.7)
# Fixed in Thunderbird 24.6
- 2014-52 Use-after-free with SMIL Animation Controller
- 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
- 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
# Fixed in Thunderbird 24.5
- 2014-46 Use-after-free in nsHostResolver
- 2014-44 Use-after-free in imgLoader while resizing images
- 2014-43 Cross-site scripting (XSS) using history navigations
- 2014-42 Privilege escalation through Web Notification API
- 2014-38 Buffer overflow when using non-XBL object as XBL
- 2014-37 Out of bounds read while decoding JPG images
- 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
# Fixed in Thunderbird 24.4
- 2014-32 Out-of-bounds write through TypedArrayObject after neutering
- 2014-31 Out-of-bounds read/write through neutering ArrayBuffer objects
- 2014-30 Use-after-free in TypeObject
- 2014-29 Privilege escalation using WebIDL-implemented APIs
- 2014-28 SVG filters information disclosure through feDisplacementMap
- 2014-27 Memory corruption in Cairo during PDF font rendering
- 2014-26 Information disclosure through polygon rendering in MathML
- 2014-17 Out of bounds read during WAV file decoding
- 2014-16 Files extracted during updates are not always read only
- 2014-15 Miscellaneous memory safety hazards (rv:28.0 / rv:24.4)
# Fixed in Thunderbird 24.3
- 2014-13 Inconsistent JavaScript handling of access to Window objects
- 2014-12 NSS ticket handling issues
- 2014-09 Cross-origin information leak through web workers
- 2014-08 Use-after-free with imgRequestProxy and image proccessing
- 2014-04 Incorrect use of discarded images by RasterImage
- 2014-02 Clone protected content with XBL scopes
- 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
# Fixed in Thunderbird 24.2
- 2013-117 Mis-issued ANSSI/DCSSI certificate
- 2013-116 JPEG information leak
- 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
- 2013-114 Use-after-free in synthetic mouse movement
- 2013-113 Trust settings for built-in roots ignored during EV certificate validation
- 2013-111 Segmentation violation when replacing ordered list elements
- 2013-109 Use-after-free during Table Editing
- 2013-108 Use-after-free in event listeners
- 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
# Fixed in Thunderbird 24.1.1
# Fixed in Thunderbird 24.1
- 2013-102 Use-after-free in HTML document templates
- 2013-101 Memory corruption in workers
- 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
- 2013-98 Use-after-free when updating offline cache
- 2013-97 Writing to cycle collected object during image decoding
- 2013-96 Improperly initialized memory and overflows in some JavaScript functions
- 2013-95 Access violation with XSLT and uninitialized data
- 2013-94 Spoofing addressbar though SELECT element
- 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
# Fixed in Thunderbird 24
- 2013-92 GC hazard with default compartments and frame chain restoration
- 2013-91 User-defined properties on DOM proxies get the wrong "this" object
- 2013-90 Memory corruption involving scrolling
- 2013-89 Buffer overflow with multi-column, lists, and floats
- 2013-88 Compartment mismatch re-attaching XBL-backed nodes
- 2013-85 Uninitialized data in IonMonkey
- 2013-83 Mozilla Updater does not lock MAR file after signature verification
- 2013-82 Calling scope for new Javascript objects can lead to memory corruption
- 2013-81 Use-after-free with select element
- 2013-80 NativeKey continues handling key messages after widget is destroyed
- 2013-79 Use-after-free in Animation Manager during stylesheet cloning
- 2013-77 Improper state in HTML5 Tree Builder with templates
- 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
# Fixed in Thunderbird 23
# Fixed in Thunderbird 17.0.8
- 2013-75 Local Java applets may read contents of local file system
- 2013-73 Same-origin bypass with web workers and XMLHttpRequest
- 2013-72 Wrong principal used for validating URI for some Javascript components
- 2013-71 Further Privilege escalation through Mozilla Updater
- 2013-69 CRMF requests allow for code execution and XSS attacks
- 2013-68 Document URI misrepresentation and masquerading
- 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
- 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
# Fixed in Thunderbird 17.0.7
- 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
- 2013-56 PreserveWrapper has inconsistent behavior
- 2013-55 SVG filters can lead to information disclosure
- 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
- 2013-53 Execution of unmapped memory through onreadystatechange event
- 2013-51 Privileged content access and execution via XBL
- 2013-50 Memory corruption found using Address Sanitizer
- 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
# Fixed in Thunderbird 17.0.6
- 2013-48 Memory corruption found using Address Sanitizer
- 2013-47 Uninitialized functions in DOMSVGZoomEvent
- 2013-46 Use-after-free with video and onresize event
- 2013-44 Local privilege escalation through Mozilla Maintenance Service
- 2013-42 Privileged access for content level constructor
- 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
# Fixed in Thunderbird 17.0.5
- 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
- 2013-38 Cross-site scripting (XSS) using timed history navigations
- 2013-36 Bypass of SOW protections allows cloning of protected nodes
- 2013-35 WebGL crash with Mesa graphics driver on Linux
- 2013-34 Privilege escalation through Mozilla Updater
- 2013-32 Privilege escalation through Mozilla Maintenance Service
- 2013-31 Out-of-bounds write in Cairo library
- 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)
# Fixed in Thunderbird 17.0.4
# Fixed in Thunderbird 17.0.3
- 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
- 2013-27 Phishing on HTTPS connection through malicious proxy
- 2013-26 Use-after-free in nsImageLoadingContent
- 2013-25 Privacy leak in JavaScript Workers
- 2013-24 Web content bypass of COW and SOW security wrappers
- 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
# Fixed in Thunderbird 17.0.2
- 2013-20 Mis-issued TURKTRUST certificates
- 2013-19 Use-after-free in Javascript Proxy objects
- 2013-18 Use-after-free in Vibrate
- 2013-17 Use-after-free in ListenerManager
- 2013-16 Use-after-free in serializeToStream
- 2013-15 Privilege escalation through plugin objects
- 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
- 2013-13 Memory corruption in XBL with XML bindings containing SVG
- 2013-12 Buffer overflow in Javascript string concatenation
- 2013-11 Address space layout leaked in XBL objects
- 2013-10 Event manipulation in plugin handler to bypass same-origin policy
- 2013-09 Compartment mismatch with quickstubs returned values
- 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
- 2013-07 Crash due to handling of SSL on threads
- 2013-05 Use-after-free when displaying table with many columns and column groups
- 2013-04 URL spoofing in addressbar during page loads
- 2013-03 Buffer Overflow in Canvas
- 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
- 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)
# Fixed in Thunderbird 17
- 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
- 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
- 2012-103 Frames can shadow top.location
- 2012-101 Improper character decoding in HZ-GB-2312 charset
- 2012-100 Improper security filtering for cross-origin wrappers
- 2012-99 XrayWrappers exposes chrome-only properties when not in chrome compartment
- 2012-97 XMLHttpRequest inherits incorrect principal within sandbox
- 2012-96 Memory corruption in str_unescape
- 2012-94 Crash when combining SVG text on path with CSS
- 2012-93 evalInSanbox location context incorrectly applied
- 2012-92 Buffer overflow while rendering GIF images
- 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)
# Fixed in Thunderbird 16.0.2
- 2012-90 Fixes for Location object issues
- 2012-67 Installer will launch incorrect executable following new installation
# Fixed in Thunderbird 16.0.1
- 2012-89 defaultValue security checks not applied
- 2012-88 Miscellaneous memory safety hazards (rv:16.0.1)
# Fixed in Thunderbird 16
- 2012-87 Use-after-free in the IME State Manager
- 2012-86 Heap memory corruption issues found using Address Sanitizer
- 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
- 2012-84 Spoofing and script injection through location.hash
- 2012-83 Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties
- 2012-82 top object and location property accessible by plugins
- 2012-81 GetProperty function can bypass security checks
- 2012-80 Crash with invalid cast when using instanceof operator
- 2012-79 DOS and crash with full screen and history navigation
- 2012-77 Some DOMWindowUtils methods bypass security checks
- 2012-76 Continued access to initial origin after setting document.domain
- 2012-75 select element persistance allows for attacks
- 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
# Fixed in Thunderbird 15
- 2012-72 Web console eval capable of executing chrome-privileged code
- 2012-70 Location object security checks bypassed by chrome code
- 2012-68 DOMParser loads linked resources in extensions when parsing text/html
- 2012-65 Out-of-bounds read in format-number in XSLT
- 2012-64 Graphite 2 memory corruption
- 2012-63 SVG buffer overflow and use-after-free issues
- 2012-62 WebGL use-after-free and memory corruption
- 2012-61 Memory corruption with bitmap format images with negative height
- 2012-59 Location object can be shadowed using Object.defineProperty
- 2012-58 Use-after-free issues found using Address Sanitizer
- 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)
# Fixed in Thunderbird 14
- 2012-56 Code execution through javascript: URLs
- 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
- 2012-52 JSDependentString::undepend string conversion results in memory corruption
- 2012-51 X-Frame-Options header ignored when duplicated
- 2012-50 Out of bounds read in QCMS
- 2012-49 Same-compartment Security Wrappers can be bypassed
- 2012-48 use-after-free in nsGlobalWindow::PageHidden
- 2012-47 Improper filtering of javascript in HTML feed-view
- 2012-45 Spoofing issue with location
- 2012-44 Gecko memory corruption
- 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)
# Fixed in Thunderbird 13
- 2012-54 Clickjacking of certificate warning page
- 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
- 2012-39 NSS parsing errors with zero length items
- 2012-38 Use-after-free while replacing/inserting a node in a document
- 2012-37 Information disclosure though Windows file shares and shortcut files
- 2012-36 Content Security Policy inline-script bypass
- 2012-35 Privilege escalation through Mozilla Updater and Windows Updater Service
- 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)
# Fixed in Thunderbird 12
- 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
- 2012-32 HTTP Redirections and remote content can be read by javascript errors
- 2012-31 Off-by-one error in OpenType Sanitizer
- 2012-30 Crash with WebGL content using textImage2D
- 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
- 2012-28 Ambiguous IPv6 in Origin headers may bypass webserver access restrictions
- 2012-27 Page load short-circuit can lead to XSS
- 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
- 2012-25 Potential memory corruption during font rendering using cairo-dwrite
- 2012-24 Potential XSS via multibyte content processing errors
- 2012-23 Invalid frees causes heap corruption in gfxImageSurface
- 2012-22 use-after-free in IDBKeyRange
- 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
# Fixed in Thunderbird 11
- 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
- 2012-18 window.fullScreen writeable by untrusted content
- 2012-17 Crash when accessing keyframe cssText after dynamic modification
- 2012-16 Escalation of privilege with Javascript: URL as home page
- 2012-15 XSS with multiple Content Security Policy headers
- 2012-14 SVG issues found with Address Sanitizer
- 2012-13 XSS with Drag and Drop and Javascript: URL
- 2012-12 Use-after-free in shlwapi.dll
# Fixed in Thunderbird 10.0.2
# Fixed in Thunderbird 10.0.1
# Fixed in Thunderbird 10
- 2012-08 Crash with malformed embedded XSLT stylesheets
- 2012-07 Potential Memory Corruption When Decoding Ogg Vorbis files
- 2012-06 Uninitialized memory appended when encoding icon images may cause information disclosure
- 2012-05 Frame scripts calling into untrusted objects bypass security checks
- 2012-04 Child nodes from nsDOMAttribute still accessible after removal of nodes
- 2012-03 <iframe> element exposed across domains via name attribute
- 2012-01 Miscellaneous memory safety hazards (rv:10.0/ 1.9.2.26)
# Fixed in Thunderbird 9
- 2012-41 Use-after-free in nsHTMLSelectElement
- 2011-58 Crash scaling <video> to extreme sizes
- 2011-57 Crash when plugin removes itself on Mac OS X
- 2011-56 Key detection without JavaScript via SVG animation
- 2011-55 nsSVGValue out-of-bounds access
- 2011-54 Potentially exploitable crash in the YARR regular expression library
- 2011-53 Miscellaneous memory safety hazards (rv:9.0)
# Fixed in Thunderbird 8
- 2011-52 Code execution via NoWaiverWrapper
- 2011-51 Cross-origin image theft on Mac with integrated Intel GPU
- 2011-50 Cross-origin data theft using canvas and Windows D2D
- 2011-49 Memory corruption while profiling using Firebug
- 2011-48 Miscellaneous memory safety hazards (rv:8.0)
- 2011-47 Potential XSS against sites using Shift-JIS
# Fixed in Thunderbird 7
- 2012-02 Overly permissive IPv6 literal syntax
- 2011-44 Use after free reading OGG headers
- 2011-42 Potentially exploitable crash in the YARR regular expression library
- 2011-40 Code installation through holding down Enter
- 2011-39 Defense against multiple Location headers due to CRLF Injection
- 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:1.9.2.23)