CVE-2025-3875

{"id": "CVE-2025-3875", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-05-14T17:15:48.470", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/", "source": "security@mozilla.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1."}, {"lang": "es", "value": "Thunderbird analiza las direcciones de forma que permite la suplantaci\u00f3n del remitente si el servidor permite el uso de una direcci\u00f3n de remitente no v\u00e1lida. Por ejemplo, si el encabezado \"De\" contiene el valor (inv\u00e1lido) \"Nombre falsificado\", Thunderbird trata spoofed@example.com como la direcci\u00f3n real. Esta vulnerabilidad afecta a Thunderbird &lt; 128.10.1 y Thunderbird &lt; 138.0.1."}], "lastModified": "2025-05-16T14:43:56.797", "sourceIdentifier": "security@mozilla.org"}