Mozilla Thunderbird 17.0.6 email application is vulnerable to critical validation and filter bypass vulnerability, enables an attacker to bypass the filter that prevents HTML tags from being used in messages.
According to a Security Advisory released by Vulnerability-Lab, the flaw resides in Mozilla's Gecko engine. During the testing, the researchers found many java script errors which gave the researcher much hope in believing that the application might actually be vulnerable.
By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion. However, while drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and combine it with the <object> tag.
The malicious code can be triggered on the recipient's machine, when one will 'Reply' or 'Forward' that message.
The malicious code can be injected while creating a new message, inside the email signature or use the attached file with Signature.
Researchers from the Vulnerability Lab said, "These sorts of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application."
Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed in the victim's browser.
The vulnerability is fixed in the latest versions (24.2.0) of Thunderbird, and users are highly recommended to upgrade as soon as possible.