1063120 – (CVE-2013-6674, CVE-2014-2018) CVE-2013-6674 CVE-2014-2018 Mozilla: Script execution in HTML mail replies (MFSA 2014-14)

Bug 1063120 (CVE-2013-6674, CVE-2014-2018) - CVE-2013-6674 CVE-2014-2018 Mozilla: Script execution in HTML mail replies (MFSA 2014-14)

Summary: CVE-2013-6674 CVE-2014-2018 Mozilla: Script execution in HTML mail replies (M...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6674, CVE-2014-2018
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1058580
TreeView+	depends on / blocked

Reported:	2014-02-10 04:34 UTC by Huzaifa S. Sidhpurwala
Modified:	2023-05-12 02:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-10 04:38:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2014-02-10 04:34:28 UTC

Security researcher Fabián Cuchietti discovered that it was possible to bypass the restriction on JavaScript execution in mail by embedding an <iframe> with a data: URL within a message. If the victim replied or forwarded the mail after receiving it, quoting it "in-line" using Thunderbird's HTML mail editor, it would run the attached script. The running script would be restricted to the mail composition window where it could observe and potentially modify the content of the mail before it was sent. Scripts were not executed if the recipient merely viewed the mail, only if it was edited as HTML. Turning off HTML composition prevented the vulnerability and forwarding the mail "as attachment" prevented the forwarding variant.

Ateeq ur Rehman Khan of Vulnerability Labs reported additional variants of this attack involving the use of the <object> tag and which could be used to attach object data types such as images, audio, or video.


External Reference:

http://www.mozilla.org/security/announce/2014/mfsa2014-14.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Fabián Cuchietti and Ateeq ur Rehman Khan as the original reporter.

Comment 1 Huzaifa S. Sidhpurwala 2014-02-10 04:38:17 UTC

Upstream notes the following:

This affected the Thunderbird 17 branch. It was fixed in all versions based on Gecko 23 or later. Thunderbird 24 and later are not affected by this vulnerability.

Comment 2 Huzaifa S. Sidhpurwala 2014-02-11 02:29:10 UTC

Statement:

This issue was resolved in the version of thunderbird as shipped with Red Hat Enterprise Linux 5 and 6 via RHSA-2013:1823.

Comment 3 Huzaifa S. Sidhpurwala 2014-04-02 05:09:20 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2018 to
the following vulnerability:

Name: CVE-2014-2018
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2018
Reference: MISC: http://www.vulnerability-lab.com/get_content.php?id=953
Reference: CONFIRM: http://www.mozilla.org/security/announce/2014/mfsa2014-14.html
Reference: CONFIRM: https://bugzilla.mozilla.org/show_bug.cgi?id=875818
Reference: CERT-VN:VU#863369
Reference: URL: http://www.kb.cert.org/vuls/id/863369

Cross-site scripting (XSS) vulnerability in Mozilla Thunderbird 17.x
through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey
before 2.20 allows user-assisted remote attackers to inject arbitrary
web script or HTML via an e-mail message containing a data: URL in a
(1) OBJECT or (2) EMBED element, a related issue to CVE-2013-6674.

Note You need to log in before you can comment on or make changes to this bug.