CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-4127 – Mozilla: Angle graphics library out of date
https://notcve.org/view.php?id=CVE-2021-4127
An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. This vulnerability affects Thunderbird < 78.9 and Firefox ESR < 78.9. Una librería de gráficos desactualizada (Angle) probablemente contenía vulnerabilidades que podrían explotarse. Esta vulnerabilidad afecta a Thunderbird < 78.9 y Firefox ESR < 78.9. The Mozilla Foundation Security Advisory describes this issue as: An out of date graphics library (Angle) likely contained vulnerabilities that could potentially be exploited. • https://bugzilla.mozilla.org/show_bug.cgi?id=1691547 https://www.mozilla.org/security/advisories/mfsa2021-11 https://www.mozilla.org/security/advisories/mfsa2021-12 https://access.redhat.com/security/cve/CVE-2021-4127 https://bugzilla.redhat.com/show_bug.cgi?id=1942784 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31739
https://notcve.org/view.php?id=CVE-2022-31739
When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Al descargar archivos en Windows, el carácter % no se escapaba, lo que podría haber provocado que una descarga se guardara incorrectamente en rutas influenciadas por el atacante que utilizaban variables como %HOMEPATH% o %APPDATA%. • https://bugzilla.mozilla.org/show_bug.cgi?id=1765049 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-21 https://www.mozilla.org/security/advisories/mfsa2022-22 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45414 – Mozilla: Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote content
https://notcve.org/view.php?id=CVE-2022-45414
If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1. The Mozilla Foundation Security Advisory describes this flaw as: If a Thunderbird user quoted from an HTML email and the email contained either a video tag with the poster attribute or an object tag with a data attribute, a network request to the referenced remote URL was performed regardless of a configuration to block remote content, and an image loaded from the poster attribute was shown in the composer window. • https://bugzilla.mozilla.org/show_bug.cgi?id=1788096 https://www.mozilla.org/security/advisories/mfsa2022-50 https://access.redhat.com/security/cve/CVE-2022-45414 https://bugzilla.redhat.com/show_bug.cgi?id=2149868 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2022-46872 – Mozilla: Arbitrary file read from a compromised content process
https://notcve.org/view.php?id=CVE-2022-46872
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6. The Mozilla Foundation Security Advisory describes this flaw as: An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. *This bug only affects Firefox for Linux. • https://bugzilla.mozilla.org/show_bug.cgi?id=1799156 https://security.gentoo.org/glsa/202305-06 https://security.gentoo.org/glsa/202305-13 https://www.mozilla.org/security/advisories/mfsa2022-51 https://www.mozilla.org/security/advisories/mfsa2022-52 https://www.mozilla.org/security/advisories/mfsa2022-53 https://access.redhat.com/security/cve/CVE-2022-46872 https://bugzilla.redhat.com/show_bug.cgi?id=2153441 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-46882 – Mozilla: Use-after-free in WebGL
https://notcve.org/view.php?id=CVE-2022-46882
A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6. The Mozilla Foundation Security Advisory describes this flaw as: A use-after-free in WebGL extensions could have led to a potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1789371 https://security.gentoo.org/glsa/202305-06 https://security.gentoo.org/glsa/202305-13 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-52 https://www.mozilla.org/security/advisories/mfsa2022-53 https://access.redhat.com/security/cve/CVE-2022-46882 https://bugzilla.redhat.com/show_bug.cgi?id=2153467 • CWE-416: Use After Free •