CVE-2022-3033 : If a Thunderbird user replied to a crafted HTML email containing a <code>meta</c

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Published 2022-12-22 20:15:38

Updated 2025-04-15 17:15:37

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2022-3033

Mozilla » Thunderbird
Versions from including (>=) 102.0 and before (<) 102.2.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 91.13.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-3033

EPSS FAQ

0.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-3033

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	2.8	5.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-3033

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-3033

https://www.mozilla.org/security/advisories/mfsa2022-38/

Security Vulnerabilities fixed in Thunderbird 102.2.1 — Mozilla
Vendor Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1784838

Access Denied
Issue Tracking;Permissions Required;Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-39/

Security Vulnerabilities fixed in Thunderbird 91.13.1 — Mozilla
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-3033

Products affected by CVE-2022-3033

Exploit prediction scoring system (EPSS) score for CVE-2022-3033

CVSS scores for CVE-2022-3033

CWE ids for CVE-2022-3033

References for CVE-2022-3033