“Attackers could attack Firefox, Firefox ESR, and Thunderbird in certain situations and execute malicious code in the worst case scenario. If this works, they are likely to completely compromise systems.

The two web browsers may experience problems with parsing (CVE-2022-40 960 “high”) of non-UTF8 URLs. In an unspecified attack scenario, malicious code could reach systems (CVE-2022-40 962 “high”).

Responses Victims to a pre-prepared HTML email with a meta tag could potentially exclude information about it. Due to the error (CVE-2022-3033 “high”) you could run JavaScript and read or even manipulate messages about it. Users who have set the display of message text to simple html or plain text are not affected by the vulnerability.

Developers have fixed the vulnerabilities in Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1 and Thunderbird 102.2.1.”

https://www.heise.de/news/Angreifer-koennten-eigenen-Code-im-Kontext-von-Firefox-und-Thunderbird-ausfuehren-7270944.html

in both products updates go like this:

  • help -> About Firefox/Thunderbird -> update

admin