CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1520 – Mozilla: Incorrect security status shown after viewing an attached email
https://notcve.org/view.php?id=CVE-2022-1520
05 May 2022 — When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9. Al visualizar un mensaje de correo electrónico A, que contiene un mensaje B adjunto, donde B está cifrado o firmado ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1745019 • CWE-203: Observable Discrepancy •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29909 – Mozilla: Bypassing permission prompt in nested browsing contexts
https://notcve.org/view.php?id=CVE-2022-29909
04 May 2022 — Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Los documentos en contextos de navegación entre orígenes profundamente anidados podrían haber obtenido permisos otorgados al origen de nivel superior, omitiendo el mensaje existente y heredando erróneamente los permisos ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1755081 • CWE-276: Incorrect Default Permissions CWE-281: Improper Preservation of Permissions •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29914 – Mozilla: Fullscreen notification bypass using popups
https://notcve.org/view.php?id=CVE-2022-29914
04 May 2022 — When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Al reutilizar ventanas emergentes existentes, Firefox les habría permitido cubrir la interfaz de usuario de notificación en pantalla completa, lo que podría haber permitido ataques de suplantación de identidad del navegador. Esta vulnerabilidad afecta a Thunderbird < 91... • https://bugzilla.mozilla.org/show_bug.cgi?id=1746448 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29911 – Mozilla: iframe Sandbox bypass
https://notcve.org/view.php?id=CVE-2022-29911
04 May 2022 — An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Una implementación incorrecta de la nueva palabra clave de iframe sandbox allow-top-navigation-by-user-activation podría provocar la ejecución del script sin que allow-scripts esté presente. Esta vulnerabi... • https://bugzilla.mozilla.org/show_bug.cgi?id=1761981 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 4CVE-2022-29916 – Mozilla: Leaking browser history with CSS variables
https://notcve.org/view.php?id=CVE-2022-29916
04 May 2022 — Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Firefox se comportó de manera ligeramente diferente para recursos ya conocidos al cargar recursos CSS que involucraban variables CSS. Esto podría haberse utilizado para sondear el historial del navegador. • https://bugzilla.mozilla.org/show_bug.cgi?id=1760674 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2022-29917 – Mozilla: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
https://notcve.org/view.php?id=CVE-2022-29917
04 May 2022 — Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Los desarrolladores de Mozilla, Andrew McCreight, Gabriele Svelto, Tom Ritter y el equipo Mozilla Fuzz... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1684739%2C1706441%2C1753298%2C1762614%2C1762620%2C1764778 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 1CVE-2022-29912 – Mozilla: Reader mode bypassed SameSite cookies
https://notcve.org/view.php?id=CVE-2022-29912
04 May 2022 — Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Las solicitudes iniciadas a través del modo lector no omitieron correctamente las cookies con un atributo SameSite. Esta vulnerabilidad afecta a Thunderbird < 91.9, Firefox ESR < 91.9 y Firefox < 100. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1692655 • CWE-565: Reliance on Cookies without Validation and Integrity Checking CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1197 – Mozilla: OpenPGP revocation information was ignored
https://notcve.org/view.php?id=CVE-2022-1197
11 Apr 2022 — When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8. Al importar una clave revocada que especificaba el compromiso de la clave como motivo de revocación, Thunderbird no actualizaba la c... • https://bugzilla.mozilla.org/show_bug.cgi?id=1754985 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 4CVE-2022-28285 – Mozilla: Incorrect AliasSet used in JIT Codegen
https://notcve.org/view.php?id=CVE-2022-28285
08 Apr 2022 — When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. Al generar el código ensamblador para MLoadTypedArrayElementHole, se utilizó un AliasSet incorrecto. Junto con otra vulnerabilidad, esto podría haberse utilizado para una lectura de memoria fuera de lo... • https://bugzilla.mozilla.org/show_bug.cgi?id=1756957 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1097 – Mozilla: Use-after-free in NSSToken objects
https://notcve.org/view.php?id=CVE-2022-1097
08 Apr 2022 — NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. Se hacía referencia a los objetos NSSToken a través de puntos directos y se podría haber accedido a ellos de forma insegura en diferentes subprocesos, lo que provocó un use after free y un bloqueo potencialmente explot... • https://bugzilla.mozilla.org/show_bug.cgi?id=1745667 • CWE-416: Use After Free •