=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2022/VULN484

_____________________________________________________________________

DATE                : 22/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Thunderbird versions prior to
                                          102.6.1.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/
_____________________________________________________________________

Mozilla Foundation Security Advisory 2022-54
Security Vulnerabilities fixed in Thunderbird 102.6.1

Announced        December 20, 2022
Impact           high
Products         Thunderbird
Fixed in
          Thunderbird 102.6.1


In general, these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled when reading mail,
but are potentially risks in browser or browser-like contexts.

#CVE-2022-46874: Drag and Dropped Filenames could have been
truncated to malicious extensions

Reporter
      Matthias Zoellner
Impact
      moderate

Description

A file with a long filename could have had its filename truncated
to remove the valid extension, leaving a malicious extension in its
place. This could potentially led to user confusion and the
execution of malicious code.

Note: This issue was originally included in the advisories for
Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted,
resulting in it actually being fixed in Thunderbird 102.6.1


References

      Bug 1746139



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================