CVE-2025-11716

MEDIUM
2025-10-14 [email protected]
Mozilla Google Authentication Bypass Thunderbird Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:45 vuln.today

DescriptionNVD

Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

AnalysisAI

Sandboxed iframes in Firefox and Thunderbird can bypass Android permission restrictions to launch external applications without the required allow-permissions, enabling attackers to trigger unintended app launches through malicious links. Unauthenticated remote attackers can exploit this via user interaction (link click) to achieve integrity impact. Firefox 144 and Thunderbird 144 contain fixes; no public exploit code or active exploitation has been identified.

Technical ContextAI

This vulnerability stems from improper permission enforcement in the iframe sandbox implementation on Android. The sandboxing mechanism is designed to restrict capabilities of untrusted content via the 'allow-' permission attributes (e.g., allow-top-navigation, allow-popups). However, links within sandboxed iframes could circumvent this policy and trigger external app launches-a capability that should be restricted unless explicitly permitted. The root cause (CWE-284: Improper Access Control) indicates the sandbox boundary enforcement failed to properly validate or restrict access to the system's app-launching functionality. This affects Mozilla Firefox and Thunderbird across their Android builds, where the sandboxing model is critical for isolating web content from sensitive platform features.

RemediationAI

Vendor-released patch: Firefox 144 and Thunderbird 144. Update to these versions or later to eliminate the vulnerability. No workarounds are available for earlier versions; users relying on older Firefox or Thunderbird releases should implement the patch immediately. Administrators managing Firefox or Thunderbird deployments on Android should enable automatic updates or manually deploy Firefox 144+ and Thunderbird 144+ to affected devices. Consult Mozilla's security advisories (https://www.mozilla.org/security/advisories/mfsa2025-81/ and https://www.mozilla.org/security/advisories/mfsa2025-84/) for release notes and any platform-specific deployment guidance.

Vendor StatusVendor

Share

CVE-2025-11716 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy