CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45404 – Mozilla: Fullscreen notification bypass
https://notcve.org/view.php?id=CVE-2022-45404
Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. A través de una serie de ventanas emergentes y llamadas <code>window.print()</code>, un atacante puede hacer que una ventana pase a pantalla completa sin que el usuario vea el mensaje de notificación, lo que genera una posible confusión del usuario o ataques de suplantación de identidad. Esta vulnerabilidad afecta a Firefox ESR < 102,5, Thunderbird < 102.5 y Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. • https://bugzilla.mozilla.org/show_bug.cgi?id=1790815 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45404 https://bugzilla.redhat.com/show_bug.cgi?id=2143198 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45405 – Mozilla: Use-after-free in InputStream implementation
https://notcve.org/view.php?id=CVE-2022-45405
Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Liberar <code>nsIInputStream</code> arbitrarios en un hilo diferente al de creación podría haber provocado un use after free y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox ESR < 102,5, Thunderbird < 102.5 y Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1791314 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45405 https://bugzilla.redhat.com/show_bug.cgi?id=2143199 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45408 – Mozilla: Fullscreen notification bypass via windowName
https://notcve.org/view.php?id=CVE-2022-45408
Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. A través de una serie de ventanas emergentes que reutilizan el nombre de la ventana, un atacante puede hacer que una ventana pase a pantalla completa sin que el usuario vea el mensaje de notificación, lo que genera una posible confusión del usuario o ataques de suplantación de identidad. Esta vulnerabilidad afecta a Firefox ESR < 102,5, Thunderbird < 102.5 y Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. • https://bugzilla.mozilla.org/show_bug.cgi?id=1793829 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45408 https://bugzilla.redhat.com/show_bug.cgi?id=2143201 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45409 – Mozilla: Use-after-free in Garbage Collection
https://notcve.org/view.php?id=CVE-2022-45409
The garbage collector could have been aborted in several states and zones and <code>GCRuntime::finishCollection</code> may not have been called, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. El recolector de basura podría haber sido abortado en varios estados y zonas y es posible que no se haya llamado a <code>GCRuntime::finishCollection</code>, lo que provocó un use after free y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox ESR < 102,5, Thunderbird < 102.5 y Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1796901 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45409 https://bugzilla.redhat.com/show_bug.cgi?id=2143202 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45418 – Mozilla: Custom mouse cursor could have been drawn over browser UI
https://notcve.org/view.php?id=CVE-2022-45418
If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Si se especifica un cursor de mouse personalizado en CSS, bajo ciertas circunstancias el cursor podría haberse dibujado sobre la interfaz de usuario del navegador, lo que podría generar confusión en el usuario o ataques de suplantación de identidad. Esta vulnerabilidad afecta a Firefox ESR < 102,5, Thunderbird < 102.5 y Firefox < 107. The Mozilla Foundation Security Advisory describes this flaw as: If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. • https://bugzilla.mozilla.org/show_bug.cgi?id=1795815 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45418 https://bugzilla.redhat.com/show_bug.cgi?id=2143241 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •