If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2022-50/#CVE-2022-45414
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:9077 https://access.redhat.com/errata/RHSA-2022:9077
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:9075 https://access.redhat.com/errata/RHSA-2022:9075
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:9076 https://access.redhat.com/errata/RHSA-2022:9076
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:9080 https://access.redhat.com/errata/RHSA-2022:9080
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:9078 https://access.redhat.com/errata/RHSA-2022:9078
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:9081 https://access.redhat.com/errata/RHSA-2022:9081
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9074 https://access.redhat.com/errata/RHSA-2022:9074
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:9079 https://access.redhat.com/errata/RHSA-2022:9079
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45414