Vulnerability Name:

CVE-2006-1045 (CCN-24959)

Assigned:2006-02-28
Published:2006-02-28
Updated:2018-10-18
Summary:The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.
CVSS v3 Severity:6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Full-Disclosure Mailing List, Tue Feb 28 2006 - 12:59:32 CST
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities

Source: MITRE
Type: CNA
CVE-2006-1045

Source: CCN
Type: RHSA-2006-0330
thunderbird security update

Source: SECUNIA
Type: UNKNOWN
19821

Source: SECUNIA
Type: UNKNOWN
19823

Source: SECUNIA
Type: UNKNOWN
19863

Source: SECUNIA
Type: UNKNOWN
19902

Source: SECUNIA
Type: UNKNOWN
19941

Source: SECUNIA
Type: UNKNOWN
19950

Source: SECUNIA
Type: UNKNOWN
20051

Source: SECUNIA
Type: UNKNOWN
22065

Source: SREASON
Type: UNKNOWN
514

Source: CCN
Type: ASA-2006-085
Mozilla Firefox and Thunderbird security update (RHSA-2006-0328 RHSA-2006-0329 RHSA-2006-330)

Source: CCN
Type: ASA-2007-135
HP-UX Running Thunderbird Remote Unauthorized Access or Elevation of Privileges or Denial of Service (HPSBUX02156)

Source: DEBIAN
Type: UNKNOWN
DSA-1046

Source: DEBIAN
Type: UNKNOWN
DSA-1051

Source: DEBIAN
Type: DSA-1046
mozilla -- several vulnerabilities

Source: DEBIAN
Type: DSA-1051
mozilla-thunderbird -- several vulnerabilities

Source: CCN
Type: GLSA-200604-18
Mozilla Suite: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200604-18

Source: CCN
Type: GLSA-200605-09
Mozilla Thunderbird: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200605-09

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:078

Source: CCN
Type: MFSA 2006-26
Mail Multiple Information Disclosure

Source: CONFIRM
Type: UNKNOWN
http://www.mozilla.org/security/announce/2006/mfsa2006-26.html

Source: SUSE
Type: UNKNOWN
SUSE-SA:2006:022

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0330

Source: BUGTRAQ
Type: Exploit
20060228 Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities

Source: HP
Type: UNKNOWN
SSRT061236

Source: BID
Type: UNKNOWN
16881

Source: CCN
Type: BID-16881
Mozilla Thunderbird Multiple Remote Information Disclosure Vulnerabilities

Source: BID
Type: UNKNOWN
17516

Source: CCN
Type: BID-17516
Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote Vulnerabilities

Source: CCN
Type: USN-276-1
Thunderbird vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-1356

Source: VUPEN
Type: UNKNOWN
ADV-2006-3749

Source: XF
Type: UNKNOWN
thunderbird-inline-information-disclosure(24959)

Source: XF
Type: UNKNOWN
thunderbird-inline-information-disclosure(24959)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10254

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1975

Source: UBUNTU
Type: UNKNOWN
USN-276-1

Source: SUSE
Type: SUSE-SA:2006:022
MozillaThunderbird various problems

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:thunderbird:1.5:-:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:thunderbird:1.5:-:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.0:*:oss:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:x86-64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20061045
    V
    		CVE-2006-1045
    2015-11-16
    oval:org.mitre.oval:def:10254
    V
    		The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block loading of remote images in mail messages" is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.
    2013-04-29
    oval:org.mitre.oval:def:1975
    V
    		Mozilla Mail Multiple Information Disclosure
    2011-02-21
    oval:org.debian:def:1051
    V
    		several vulnerabilities
    2006-05-04
    oval:org.debian:def:1046
    V
    		several vulnerabilities
    2006-04-27
    oval:com.redhat.rhsa:def:20060330
    P
    		RHSA-2006:0330: thunderbird security update (Critical)
    2006-04-25
    BACK
    mozilla thunderbird 1.5
    mozilla thunderbird 1.5 -
    gentoo linux *
    suse suse linux 9.1
    suse suse linux 9.2
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    suse suse linux 10.0
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux 2006
    suse suse linux 9.3