Bug 2359786 (CVE-2025-3523) - CVE-2025-3523 thunderbird: User Interface (UI) Misrepresentation of attachment URL
Summary: CVE-2025-3523 thunderbird: User Interface (UI) Misrepresentation of attachmen...
Keywords:
Status: NEW
Alias: CVE-2025-3523
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-15 16:01 UTC by OSIDB Bzimport
Modified: 2025-05-07 12:55 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:4229 0 None None None 2025-04-28 01:22:48 UTC
Red Hat Product Errata RHSA-2025:4389 0 None None None 2025-04-30 10:30:57 UTC
Red Hat Product Errata RHSA-2025:4512 0 None None None 2025-05-06 07:47:43 UTC
Red Hat Product Errata RHSA-2025:4513 0 None None None 2025-05-06 07:41:54 UTC
Red Hat Product Errata RHSA-2025:4514 0 None None None 2025-05-06 07:55:51 UTC
Red Hat Product Errata RHSA-2025:4617 0 None None None 2025-05-07 05:53:22 UTC
Red Hat Product Errata RHSA-2025:4649 0 None None None 2025-05-07 08:26:46 UTC
Red Hat Product Errata RHSA-2025:4654 0 None None None 2025-05-07 09:06:41 UTC
Red Hat Product Errata RHSA-2025:4665 0 None None None 2025-05-07 12:55:46 UTC

Description OSIDB Bzimport 2025-04-15 16:01:15 UTC 
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Comment 1 errata-xmlrpc 2025-04-28 01:22:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4229 https://access.redhat.com/errata/RHSA-2025:4229
Comment 2 errata-xmlrpc 2025-04-30 10:30:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:4389 https://access.redhat.com/errata/RHSA-2025:4389
Comment 3 errata-xmlrpc 2025-05-06 07:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:4513 https://access.redhat.com/errata/RHSA-2025:4513
Comment 4 errata-xmlrpc 2025-05-06 07:47:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:4512 https://access.redhat.com/errata/RHSA-2025:4512
Comment 5 errata-xmlrpc 2025-05-06 07:55:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:4514 https://access.redhat.com/errata/RHSA-2025:4514
Comment 6 errata-xmlrpc 2025-05-07 05:53:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:4617 https://access.redhat.com/errata/RHSA-2025:4617
Comment 7 errata-xmlrpc 2025-05-07 08:26:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:4649 https://access.redhat.com/errata/RHSA-2025:4649
Comment 8 errata-xmlrpc 2025-05-07 09:06:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2025:4654 https://access.redhat.com/errata/RHSA-2025:4654
Comment 9 errata-xmlrpc 2025-05-07 12:55:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:4665 https://access.redhat.com/errata/RHSA-2025:4665
Note You need to log in before you can comment on or make changes to this bug.