CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38474 – Gentoo Linux Security Advisory 202208-37
https://notcve.org/view.php?id=CVE-2022-38474
01 Sep 2022 — A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.<br />*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 104. • https://bugzilla.mozilla.org/show_bug.cgi?id=1719511 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-38478 – Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13
https://notcve.org/view.php?id=CVE-2022-38478
25 Aug 2022 — Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. Los miembros del equipo Mozilla Fuzzing informaron errores de seguridad de la memoria presentes e... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-38473 – Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions
https://notcve.org/view.php?id=CVE-2022-38473
25 Aug 2022 — A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. Un iframe de origen cruzado que haga referencia a un documento XSLT heredaría los permisos del dominio principal (como el acceso al micrófono o la cámara). Esta vulnerabilidad afecta a Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR &... • https://bugzilla.mozilla.org/show_bug.cgi?id=1771685 • CWE-281: Improper Preservation of Permissions CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-38472 – Mozilla: Address bar spoofing via XSLT error handling
https://notcve.org/view.php?id=CVE-2022-38472
25 Aug 2022 — An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. Un atacante podría haber abusado del manejo de errores XSLT para asociar contenido controlado por el atacante con otro origen que se m... • https://bugzilla.mozilla.org/show_bug.cgi?id=1769155 • CWE-346: Origin Validation Error CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-38477 – Mozilla: Memory safety bugs fixed in Firefox 104 and Firefox ESR 102.2
https://notcve.org/view.php?id=CVE-2022-38477
25 Aug 2022 — Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104. La desarrolladora de Mozilla, Nika Layzell, y el equipo Mozilla Fuzzing informaron errores de seguridad de la memoria presentes en F... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1760611%2C1770219%2C1771159%2C1773363 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26385 – Gentoo Linux Security Advisory 202208-08
https://notcve.org/view.php?id=CVE-2022-26385
10 Aug 2022 — In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 98. En circunstancias inusuales, un subproceso individual puede sobrevivir al administrador del subproceso durante el cierre. Esto podría haber llevado a un use-after-free que provocó un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1747526 • CWE-416: Use After Free •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-34469 – Gentoo Linux Security Advisory 202208-08
https://notcve.org/view.php?id=CVE-2022-34469
10 Aug 2022 — When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102. • https://bugzilla.mozilla.org/show_bug.cgi?id=1721220 • CWE-295: Improper Certificate Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34475 – Gentoo Linux Security Advisory 202208-08
https://notcve.org/view.php?id=CVE-2022-34475
10 Aug 2022 — SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed. This vulnerability affects Firefox < 102. Las etiquetas SVG que hacían referencia a un documento del mismo origen podrían haber dado lugar a la ejecución de un script si la entrada del atacante se hubiera s... • https://bugzilla.mozilla.org/show_bug.cgi?id=1757210 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34471 – Gentoo Linux Security Advisory 202208-08
https://notcve.org/view.php?id=CVE-2022-34471
10 Aug 2022 — When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102. Al descargar una actualización para un complemento, no se verificó que la versión de la actualización del complemento descargada coincidiera con la versión seleccionada en el manifiesto. S... • https://bugzilla.mozilla.org/show_bug.cgi?id=1766047 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34482 – Gentoo Linux Security Advisory 202208-08
https://notcve.org/view.php?id=CVE-2022-34482
10 Aug 2022 — An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102. Un atacante que podría haber convencido a un usuario de arrastrar y soltar una imagen en un sistema de archivos podría haber manipulado el nombre del archivo r... • https://bugzilla.mozilla.org/show_bug.cgi?id=845880 •