CVE-2021-43528
Publication date 8 December 2021
Last updated 25 August 2025
Ubuntu priority
Description
Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| thunderbird | ||
| 22.04 LTS jammy |
Fixed 1:91.4.0+build1-0ubuntu1
|
|
| 20.04 LTS focal |
Fixed 1:91.5.0+build1-0ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1:91.5.0+build1-0ubuntu0.18.04.1
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5246-1
- Thunderbird vulnerabilities
- 21 January 2022
- USN-5248-1
- Thunderbird vulnerabilities
- 21 January 2022