CVE-2022-38472 in Thunderbird
Summary
by MITRE • 12/22/2022
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/22/2026
This vulnerability represents a sophisticated cross-origin information disclosure and user deception mechanism that exploits XSLT error handling within Mozilla's browser and email client implementations. The flaw allows attackers to manipulate how error messages are displayed when processing XSLT transformations, creating a scenario where malicious content can appear to originate from a trusted domain. The technical exploitation involves crafting XSLT documents that, when processed with error handling, can cause the browser to display attacker-controlled content while maintaining the appearance of legitimate origin in the address bar. This creates a deceptive environment where users may unknowingly interact with malicious content believing it comes from a trusted source.
The vulnerability specifically impacts the handling of XSLT error messages and their association with document origins, enabling attackers to perform phishing attacks or data exfiltration through seemingly legitimate browser interfaces. The flaw exists in how the browser engine processes error messages from XSLT transformations, allowing malicious input to influence the display context and origin information shown to users. This type of vulnerability falls under the category of cross-origin resource manipulation and can be classified as a variant of cross-site scripting or cross-origin information leakage. The affected software versions demonstrate that this issue was present across multiple Mozilla products including Thunderbird email client and Firefox browser, affecting both regular and extended support releases.
The operational impact of this vulnerability extends beyond simple information disclosure to include potential user deception and credential harvesting. Attackers could craft malicious XSLT documents that, when processed by vulnerable applications, would display content that appears to originate from trusted domains such as banking sites or social media platforms. This creates opportunities for sophisticated phishing campaigns where users might enter sensitive information believing they are interacting with legitimate services. The vulnerability specifically affects versions prior to 102.2 for Thunderbird and Firefox ESR 91.13, indicating that the fix addressed the core issue in XSLT error handling mechanisms that could be manipulated to display misleading origin information. This type of attack vector aligns with techniques described in the ATT&CK framework under credential access and defense evasion categories, where attackers leverage browser implementation weaknesses to bypass security controls.
The technical exploitation requires crafting XSLT content that triggers error conditions in a way that allows attacker-controlled data to be displayed with misleading origin information. This represents a sophisticated attack that leverages the interaction between XSLT processing, error handling, and browser display mechanisms. The vulnerability demonstrates how complex web technologies can introduce unexpected security implications when error conditions are not properly isolated from user-facing content. Security researchers have noted that similar vulnerabilities in web browsers often stem from insufficient sanitization of error messages and improper handling of cross-origin contexts during processing. The remediation typically involves ensuring that error messages and their associated metadata are properly isolated from user-controlled content and that origin information displayed to users accurately reflects the actual source of content rather than potentially manipulated error contexts. Organizations should prioritize updating affected systems to versions that include patches addressing the XSLT error handling implementation and related cross-origin resource management mechanisms.