CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-34478
https://notcve.org/view.php?id=CVE-2022-34478
The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. • https://bugzilla.mozilla.org/show_bug.cgi?id=1773717 https://www.mozilla.org/security/advisories/mfsa2022-24 https://www.mozilla.org/security/advisories/mfsa2022-25 https://www.mozilla.org/security/advisories/mfsa2022-26 •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2022-22746
https://notcve.org/view.php?id=CVE-2022-22746
A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Una condición de ejecución podría haber permitido omitir la notificación de pantalla completa, lo que podría haber llevado a que una ventana falsa de pantalla completa pasara desapercibida. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735071 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-46880 – Mozilla: Use-after-free in WebGL
https://notcve.org/view.php?id=CVE-2022-46880
A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.<br />*Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 105. This vulnerability affects Firefox ESR < 102.6, Firefox < 105, and Thunderbird < 102.6. The Mozilla Foundation Security Advisory describes this flaw as: A missing check related to tex units could have led to a use-after-free and potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1749292 https://security.gentoo.org/glsa/202305-06 https://security.gentoo.org/glsa/202305-13 https://www.mozilla.org/security/advisories/mfsa2022-40 https://www.mozilla.org/security/advisories/mfsa2022-52 https://www.mozilla.org/security/advisories/mfsa2022-53 https://access.redhat.com/security/cve/CVE-2022-46880 https://bugzilla.redhat.com/show_bug.cgi?id=2153463 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2022-46874 – Mozilla: Drag and Dropped Filenames could have been truncated to malicious extensions
https://notcve.org/view.php?id=CVE-2022-46874
A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.<br/>*Note*: This issue was originally included in the advisories for Thunderbird 102.6, but a patch (specific to Thunderbird) was omitted, resulting in it actually being fixed in Thunderbird 102.6.1. This vulnerability affects Firefox < 108, Thunderbird < 102.6.1, Thunderbird < 102.6, and Firefox ESR < 102.6. The Mozilla Foundation Security Advisory describes this flaw as: A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. • https://bugzilla.mozilla.org/show_bug.cgi?id=1746139 https://security.gentoo.org/glsa/202305-06 https://security.gentoo.org/glsa/202305-13 https://www.mozilla.org/security/advisories/mfsa2022-51 https://www.mozilla.org/security/advisories/mfsa2022-52 https://www.mozilla.org/security/advisories/mfsa2022-53 https://www.mozilla.org/security/advisories/mfsa2022-54 https://access.redhat.com/security/cve/CVE-2022-46874 https://bugzilla.redhat.com/show_bug.cgi?id=2153449 • CWE-222: Truncation of Security-relevant Information •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-46881 – Mozilla: Memory corruption in WebGL
https://notcve.org/view.php?id=CVE-2022-46881
An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash. *Note*: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 106. This vulnerability affects Firefox < 106, Firefox ESR < 102.6, and Thunderbird < 102.6. Una optimización en WebGL era incorrecta en algunos casos, y podría haber provocado daños en la memoria y un bloqueo potencialmente explotable. *Nota*: Este aviso se agregó el 13 de diciembre de 2022 después de que entendiéramos mejor el impacto del problema. • https://bugzilla.mozilla.org/show_bug.cgi?id=1770930 https://security.gentoo.org/glsa/202305-06 https://security.gentoo.org/glsa/202305-13 https://www.mozilla.org/security/advisories/mfsa2022-44 https://www.mozilla.org/security/advisories/mfsa2022-52 https://www.mozilla.org/security/advisories/mfsa2022-53 https://access.redhat.com/security/cve/CVE-2022-46881 https://bugzilla.redhat.com/show_bug.cgi?id=2153466 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •