Vulnerability Details : CVE-2006-0884
Potential exploit
The WYSIWYG rendering engine ("rich mail" editor) in Mozilla Thunderbird 1.0.7 and earlier allows user-assisted attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail.
Vulnerability category: Input validation
Products affected by CVE-2006-0884
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:1.0.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-0884
92.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-0884
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2006-0884
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2006-0884
-
http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm
ASA-2006-205 (SUN 102502, 102513, 102514, 102519, 102550, 102556, 102557, 102582, 102588, 102589, 102593)
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/25983
Multiple Mozilla products in-line mail forwarding JavaScript code execution undefined Vulnerability Report
-
http://www.mozilla.org/security/announce/2006/mfsa2006-21.html
JavaScript execution in mail when forwarding in-line — MozillaVendor Advisory
-
http://www.novell.com/linux/security/advisories/2006_04_25.html
404 Page Not Found | SUSE
-
http://www.vupen.com/english/advisories/2006/3749
Site en constructionVendor Advisory
-
http://www.redhat.com/support/errata/RHSA-2006-0330.html
Support
-
http://www.debian.org/security/2006/dsa-1051
[SECURITY] [DSA 1051-1] New Mozilla Thunderbird packages fix several vulnerabilitiesPatch
-
http://securitytracker.com/id?1015665
GoDaddy Domain Name SearchExploit
-
http://www.redhat.com/support/errata/RHSA-2006-0329.html
Support
-
http://www.securityfocus.com/archive/1/438730/100/0/threaded
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2024
404 Not Found
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:078
Mandriva
-
http://www.gentoo.org/security/en/glsa/glsa-200605-09.xml
Mozilla Thunderbird: Multiple vulnerabilities (GLSA 200605-09) — Gentoo security
-
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.26/SCOSA-2006.26.txt
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102550-1
-
http://sunsolve.sun.com/search/document.do?assetkey=1-26-228526-1
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:076
Mandriva
-
http://www.securityfocus.com/archive/1/436296/100/0/threaded
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10782
404 Not Found
-
http://www.debian.org/security/2006/dsa-1046
[SECURITY] [DSA 1046-1] New Mozilla packages fix several vulnerabilitiesPatch
-
http://lists.suse.com/archive/suse-security-announce/2006-Apr/0003.html
Object not found!
-
http://www.securityfocus.com/archive/1/425786/100/0/threaded
-
ftp://patches.sgi.com/support/free/security/advisories/20060404-01-U.asc
-
http://www.mandriva.com/security/advisories?name=MDKSA-2006:052
Mandriva
-
https://usn.ubuntu.com/276-1/
404: Page not found | Ubuntu
-
http://www.securityfocus.com/archive/1/446657/100/200/threaded
-
http://www.gentoo.org/security/en/glsa/glsa-200604-18.xml
Mozilla Suite: Multiple vulnerabilities (GLSA 200604-18) — Gentoo security
-
http://www.securityfocus.com/bid/16770
Exploit;Patch
Jump to