CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45407 – Gentoo Linux Security Advisory 202211-06
https://notcve.org/view.php?id=CVE-2022-45407
16 Nov 2022 — If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. This vulnerability affects Firefox < 107. Si un atacante cargó una fuente usando <code>FontFace()</code> en un trabajador en segundo plano, podría haberse producido un use after free, lo que habría provocado un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox < 107. Multiple security issues were discovered in Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1793314 • CWE-416: Use After Free •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-45413 – Gentoo Linux Security Advisory 202211-06
https://notcve.org/view.php?id=CVE-2022-45413
16 Nov 2022 — Using the <code>S.browser_fallback_url parameter</code> parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.<br>*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects Firefox < 107. Multiple security issues were discovered in Firefox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1791201 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45410 – Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
https://notcve.org/view.php?id=CVE-2022-45410
16 Nov 2022 — When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Cuando un ServiceWorker interceptó una solicitud con FetchEvent, el origen de la solicitud se perdió después de que ServiceWorker tomó posesión... • https://bugzilla.mozilla.org/show_bug.cgi?id=1658869 • CWE-862: Missing Authorization CWE-1275: Sensitive Cookie with Improper SameSite Attribute •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45406 – Mozilla: Use-after-free of a JavaScript Realm
https://notcve.org/view.php?id=CVE-2022-45406
16 Nov 2022 — If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references t... • https://bugzilla.mozilla.org/show_bug.cgi?id=1791975 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45420 – Mozilla: Iframe contents could be rendered outside the iframe
https://notcve.org/view.php?id=CVE-2022-45420
16 Nov 2022 — Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Al utilizar tablas dentro de un iframe, un atacante podría haber provocado que el contenido del iframe se representara fuera de los límites del iframe, lo que provocaría una posible confusión del usuario o ataques de suplantación de i... • https://bugzilla.mozilla.org/show_bug.cgi?id=1792643 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45415 – Gentoo Linux Security Advisory 202211-06
https://notcve.org/view.php?id=CVE-2022-45415
16 Nov 2022 — When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the contents of the addressbar,... • https://bugzilla.mozilla.org/show_bug.cgi?id=1793551 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45417 – Gentoo Linux Security Advisory 202211-06
https://notcve.org/view.php?id=CVE-2022-45417
16 Nov 2022 — Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk. This vulnerability affects Firefox < 107. Los Service Workers no detectaron correctamente el modo de navegación privada en todos los casos, lo que podría haber provocado que los Service Wo... • https://bugzilla.mozilla.org/show_bug.cgi?id=1794508 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45416 – Mozilla: Keystroke Side-Channel Leakage
https://notcve.org/view.php?id=CVE-2022-45416
16 Nov 2022 — Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Los eventos de teclado hacen referencia a cadenas como "KeyA" que estaban en direcciones fijas, conocidas y ampliamente distribuidas. Los ataques de sincronización basados en caché, como Prime+Probe, posiblemente... • https://bugzilla.mozilla.org/show_bug.cgi?id=1793676 • CWE-203: Observable Discrepancy •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42931 – Ubuntu Security Notice USN-5709-1
https://notcve.org/view.php?id=CVE-2022-42931
01 Nov 2022 — Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106. Los inicios de sesión guardados por Firefox deben ser administrados por el componente Administrador de contraseñas, que utiliza cifrado para guardar archivos en el disco. En cambio, el Administrador de formularios guardó el nombre de usuario (no la c... • https://bugzilla.mozilla.org/show_bug.cgi?id=1780571 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42930 – Gentoo Linux Security Advisory 202210-34
https://notcve.org/view.php?id=CVE-2022-42930
01 Nov 2022 — If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the `ThirdPartyUtil` component. This vulnerability affects Firefox < 106. Si dos trabajadores inicializaran simultáneamente su CacheStorage, podría haberse producido una "carrera" de datos en el componente 'ThirdPartyUtil'. Esta vulnerabilidad afecta a Firefox < 106. Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in arbitrary code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1789503 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •