Vulnerability Details CVE-2025-1015
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.228
EPSS Ranking 95.5%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2025-1015
-
cpe:2.3:a:mozilla:thunderbird:128.0.1
-
cpe:2.3:a:mozilla:thunderbird:128.1.0
-
cpe:2.3:a:mozilla:thunderbird:128.1.1
-
cpe:2.3:a:mozilla:thunderbird:128.2.0
-
cpe:2.3:a:mozilla:thunderbird:128.2.1
-
cpe:2.3:a:mozilla:thunderbird:128.2.2
-
cpe:2.3:a:mozilla:thunderbird:128.2.3
-
cpe:2.3:a:mozilla:thunderbird:128.3.0
-
cpe:2.3:a:mozilla:thunderbird:128.3.1
-
cpe:2.3:a:mozilla:thunderbird:128.3.2
-
cpe:2.3:a:mozilla:thunderbird:128.3.3
-
cpe:2.3:a:mozilla:thunderbird:128.4.0
-
cpe:2.3:a:mozilla:thunderbird:128.4.1
-
cpe:2.3:a:mozilla:thunderbird:128.4.2
-
cpe:2.3:a:mozilla:thunderbird:128.4.3
-
cpe:2.3:a:mozilla:thunderbird:128.4.4
-
cpe:2.3:a:mozilla:thunderbird:128.5.0
-
cpe:2.3:a:mozilla:thunderbird:128.5.1
-
cpe:2.3:a:mozilla:thunderbird:128.5.2
-
cpe:2.3:a:mozilla:thunderbird:128.6.0