A vulnerability has been found in Mozilla Thunderbird (unknown version) and classified as problematic. Affected by this vulnerability is an unknown code block of the component Pointer Lock Handler. The manipulation with an unknown input leads to a clickjacking vulnerability. The CWE definition for the vulnerability is CWE-451. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. As an impact it is known to affect integrity. The summary by CVE is:

A missing delay on when pointer lock was used could have allowed a malicious page to trick a user into granting permissions. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

The advisory is shared at mozilla.org. This vulnerability is known as CVE-2024-2611 since 03/18/2024. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/19/2024). MITRE ATT&CK project uses the attack technique T1566.003 for this issue.

Upgrading eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

The entries VDB-257263, VDB-257264, VDB-257265 and VDB-257266 are related to this item.

Productinfo

Type

• Mail Client Software

Vendor

• Mozilla

Name

• Thunderbird

License

• open-source

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion