This Red Hat security advisory addresses a set of ten vulnerabilities in Mozilla Thunderbird, including CVE-2024-10458 (permission leak via embed or object elements), CVE-2024-10459 (use-after-free in layout with accessibility), CVE-2024-10460 (confusing display of origin for external protocol handler prompt), CVE-2024-10461 (XSS due to Content-Disposition being ignored), CVE-2024-10462 (origin of permission prompt spoofed by long URL), CVE-2024-10463 (cross-origin video frame leak), CVE-2024-10464 (denial of service via history interface), CVE-2024-10465 (clipboard paste button persisted across tabs), CVE-2024-10466 (DOM push subscription message hang), and CVE-2024-10467 (memory safety bugs). These vulnerabilities affect Thunderbird as packaged for Red Hat Enterprise Linux 9.2 Extended Update Support and are fixed in Thunderbird version 128.4.0. The advisory provides updated packages and references for remediation.

The vulnerabilities collectively could lead to denial of service conditions, cross-site scripting attacks, permission leaks, use-after-free memory corruption, memory safety issues, UI spoofing, and potential hangs in the application. These issues may impact the confidentiality, integrity, and availability of the Thunderbird mail client. However, no known exploits in the wild have been reported at the time of this advisory. The overall security impact is rated as moderate by Red Hat.

Red Hat has released updated Thunderbird packages (version 128.4.0-1.el9_2) for Red Hat Enterprise Linux 9.2 Extended Update Support that address these vulnerabilities. Users should apply these official updates promptly to remediate the issues. For detailed update instructions, refer to the Red Hat advisory at https://access.redhat.com/articles/11258. No additional mitigations are specified or required beyond applying the provided patches.