Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2018-18509

Published: 26/04/2019 Updated: 03/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Mozilla

Vulnerability Summary

A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an malicious user to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla thunderbird

Vendor Advisories

Ubuntu Security Notice: thunderbird vulnerabilities
Several security issues were fixed in Thunderbird ...
Debian Security Advisories: DSA-4392-1 thunderbird -- security update
Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures For the stable distribution (stretch), these problems have been fixed in version 1:6051-1~deb9u1 We recommend that you upgrade your thunderbird packages For the detaile ...
Mozilla: Security vulnerabilities fixed in Thunderbird 60.5.1
Mozilla Foundation Security Advisory 2019-06 Security vulnerabilities fixed in Thunderbird 6051 Announced February 14, 2019 Impact high Products Thunderbird Fixed in Thunderbird 6051 ...
Arch Linux Issues:
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird before 6051 as having a valid digital signature, even if the shown message contents aren't covered by the signature The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content ...

Mailing Lists

Full Disclosure: Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> Fro ...

References

CWE-347https://www.mozilla.org/security/advisories/mfsa2019-06/https://bugzilla.mozilla.org/show_bug.cgi?id=1507218http://www.openwall.com/lists/oss-security/2019/04/30/4http://seclists.org/fulldisclosure/2019/Apr/38http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlhttps://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfhttps://github.com/RUB-NDS/Johnny-You-Are-Firedhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00043.htmlhttps://access.redhat.com/errata/RHSA-2019:1144https://usn.ubuntu.com/3897-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook