CVE-2025-1015
5.4
MEDIUM
CVSS 3.1
EPSS 29.3%
Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
How to fix CVE-2025-1015
To remediate CVE-2025-1015, upgrade the affected package to a fixed version below.
- —upgrade to 1:128.7.0esr-1~deb11u1 or later
Is CVE-2025-1015 being exploited?
Moderate — EPSS is 29.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 1:128.7.0esr-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |