CVE-2025-8029
BaseFortify
Publication date: 2025-07-22
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | thunderbird | to 140.0 (inc) |
| mozilla | thunderbird | to 140.0 (inc) |
| mozilla | thunderbird | to 140.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Thunderbird executing 'javascript:' URLs when they are used inside 'object' and 'embed' HTML tags. This means that if a malicious 'javascript:' URL is embedded in these tags, Thunderbird could execute the JavaScript code, potentially leading to security issues.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to execute arbitrary JavaScript code within Thunderbird by embedding malicious 'javascript:' URLs in 'object' and 'embed' tags. This could lead to unauthorized actions, data exposure, or compromise of the user's environment.