CVE-2025-3523

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1958385	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-26/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-27/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

No history.

Information

Published : 2025-04-15 15:16

Updated : 2025-06-13 18:51

NVD link : CVE-2025-3523

Mitre link : CVE-2025-3523

CVE.ORG link : CVE-2025-3523

JSON object : View

Products Affected

mozilla

thunderbird

CWE

CWE-451

User Interface (UI) Misrepresentation of Critical Information

{"id": "CVE-2025-3523", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.6}]}, "published": "2025-04-15T15:16:09.957", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1958385", "tags": ["Permissions Required"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-26/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-27/", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-451"}]}], "descriptions": [{"lang": "en", "value": "When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2."}, {"lang": "es", "value": "Cuando un correo electr\u00f3nico contiene varios archivos adjuntos con enlaces externos mediante el encabezado X-Mozilla-External-Attachment-URL, solo se muestra el \u00faltimo enlace al pasar el cursor sobre cualquier archivo adjunto. Aunque se usa el enlace correcto al hacer clic, el texto enga\u00f1oso al pasar el cursor podr\u00eda inducir a los usuarios a descargar contenido de fuentes no confiables. Esta vulnerabilidad afecta a Thunderbird (versi\u00f3n anterior a la 137.0.2) y Thunderbird (versi\u00f3n anterior a la 128.9.2)."}], "lastModified": "2025-06-13T18:51:08.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D11A3908-71D7-4967-8029-0D4DD57F384C", "versionEndExcluding": "128.9.2"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "971D9339-D135-4B63-A4DA-E333080DA5E6", "versionEndExcluding": "137.0.2", "versionStartIncluding": "129.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}