Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords - CVE-2020-6794| ID: oval:org.secpod.oval:def:61398 | Date: (C)2020-02-13 (M)2022-10-10 |
| Class: VULNERABILITY | Family: windows |
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.
| Platform: |
| Microsoft Windows Server 2019 |
| Microsoft Windows Server 2003 |
| Microsoft Windows 8 |
| Microsoft Windows Server 2008 |
| Microsoft Windows 7 |
| Microsoft Windows 8.1 |
| Microsoft Windows Server 2008 R2 |
| Microsoft Windows Server 2012 |
| Microsoft Windows Server 2016 |
| Microsoft Windows Server 2012 R2 |
| Microsoft Windows 10 |
| Product: |
| Mozilla Thunderbird |
