Vulnerability Name:

CVE-2006-4570 (CCN-28962)

Assigned:2006-09-15
Published:2006-09-15
Updated:2017-10-11
Summary:Mozilla Thunderbird before 1.5.0.7 and SeaMonkey before 1.0.5, with "Load Images" enabled, allows remote user-assisted attackers to bypass settings that disable JavaScript via a remote XBL file in a message that is loaded when the user views, forwards, or replies to the original message.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: SGI
Type: UNKNOWN
20060901-01-P

Source: MITRE
Type: CNA
CVE-2006-4570

Source: CCN
Type: RHSA-2006-0676
seamonkey security update

Source: CCN
Type: RHSA-2006-0677
thunderbird security update

Source: SECUNIA
Type: UNKNOWN
21915

Source: SECUNIA
Type: UNKNOWN
21916

Source: CCN
Type: SA21939
Mozilla Thunderbird Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
21939

Source: CCN
Type: SA21940
Mozilla SeaMonkey Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
21940

Source: SECUNIA
Type: UNKNOWN
22036

Source: SECUNIA
Type: UNKNOWN
22055

Source: SECUNIA
Type: UNKNOWN
22056

Source: SECUNIA
Type: UNKNOWN
22074

Source: SECUNIA
Type: UNKNOWN
22088

Source: SECUNIA
Type: UNKNOWN
22247

Source: SECUNIA
Type: UNKNOWN
22274

Source: SECUNIA
Type: UNKNOWN
22299

Source: SECUNIA
Type: UNKNOWN
22342

Source: SECUNIA
Type: UNKNOWN
22391

Source: GENTOO
Type: UNKNOWN
GLSA-200610-01

Source: GENTOO
Type: UNKNOWN
GLSA-200610-04

Source: CCN
Type: SECTRACK ID: 1016866
Mozilla Seamonkey Lets Remote Users Execute JavaScript Via Remote XBL Files

Source: SECTRACK
Type: UNKNOWN
1016866

Source: CCN
Type: SECTRACK ID: 1016867
Mozilla Thunderbird Lets Remote Users Execute JavaScript Via Remote XBL Files

Source: SECTRACK
Type: UNKNOWN
1016867

Source: CCN
Type: ASA-2006-196
seamonkey security update (RHSA-2006-0676)

Source: CCN
Type: ASA-2006-219
thunderbird security update (RHSA-2006-0677)

Source: DEBIAN
Type: UNKNOWN
DSA-1192

Source: DEBIAN
Type: DSA-1191
mozilla-thunderbird -- several vulnerabilities

Source: DEBIAN
Type: DSA-1192
mozilla -- several vulnerabilities

Source: CCN
Type: GLSA-200610-01
Mozilla Thunderbird: Multiple vulnerabilities

Source: CCN
Type: GLSA-200610-04
Seamonkey: Multiple vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:169

Source: CCN
Type: MFSA 2006-63
JavaScript execution in mail via XBL

Source: CONFIRM
Type: Vendor Advisory
http://www.mozilla.org/security/announce/2006/mfsa2006-63.html

Source: SUSE
Type: UNKNOWN
SUSE-SA:2006:054

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0676

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2006:0677

Source: BID
Type: UNKNOWN
20042

Source: CCN
Type: BID-20042
Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities

Source: CCN
Type: USN-350-1
Thunderbird vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-350-1

Source: CCN
Type: USN-352-1
Thunderbird vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-352-1

Source: CCN
Type: USN-361-1
Mozilla vulnerabilities

Source: UBUNTU
Type: UNKNOWN
USN-361-1

Source: DEBIAN
Type: UNKNOWN
DSA-1191

Source: XF
Type: UNKNOWN
thunderbird-seamonkey-xbl-code-execution(28962)

Source: XF
Type: UNKNOWN
thunderbird-seamonkey-xbl-code-execution(28962)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10892

Source: SUSE
Type: SUSE-SA:2006:054
Mozilla Firefox security update

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version <= 1.0.4)
  • OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version <= 1.5.0.6)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:mozilla:seamonkey:1.0::dev:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5:-:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5:beta2:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:thunderbird:1.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0::alpha:*:*:*:*:*
  • OR cpe:/a:mozilla:seamonkey:1.0::beta:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:10.1::personal:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1::ws:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20064570
    V
    		CVE-2006-4570
    2015-11-16
    oval:org.mitre.oval:def:10892
    V
    		Mozilla Thunderbird before 1.5.0.7 and SeaMonkey before 1.0.5, with "Load Images" enabled, allows remote user-assisted attackers to bypass settings that disable JavaScript via a remote XBL file in a message that is loaded when the user views, forwards, or replies to the original message.
    2013-04-29
    oval:org.debian:def:1192
    V
    		several vulnerabilities
    2006-10-06
    oval:org.debian:def:1191
    V
    		several vulnerabilities
    2006-10-05
    oval:com.redhat.rhsa:def:20060676
    P
    		RHSA-2006:0676: seamonkey security update (Critical)
    2006-09-15
    oval:com.redhat.rhsa:def:20060677
    P
    		RHSA-2006:0677: thunderbird security update (Critical)
    2006-09-15
    BACK
    mozilla seamonkey *
    mozilla thunderbird *
    mozilla seamonkey 1.0
    mozilla thunderbird 1.5
    mozilla thunderbird 1.5 beta2
    mozilla seamonkey 1.0.2
    mozilla thunderbird 1.5.0.6
    mozilla thunderbird 1.5.0.5
    mozilla thunderbird 1.5.0.4
    mozilla thunderbird 1.5.0.3
    mozilla thunderbird 1.5.0.2
    mozilla thunderbird 1.5.0.1
    mozilla seamonkey 1.0
    mozilla seamonkey 1.0.1
    mozilla seamonkey 1.0.3
    mozilla seamonkey 1.0.4
    mozilla seamonkey 1.0
    mozilla seamonkey 1.0
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    suse suse linux 9.2
    redhat enterprise linux 2.1
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    novell linux desktop 9
    redhat enterprise linux 4
    redhat enterprise linux 4
    debian debian linux 3.1
    suse suse linux 10.0
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 2006
    canonical ubuntu 6.06
    suse suse linux 10.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux corporate server 3.0
    suse suse linux 9.3