CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42927 – Mozilla: Same-origin policy violation could have leaked cross-origin URLs
https://notcve.org/view.php?id=CVE-2022-42927
A same-origin policy violation could have allowed the theft of cross-origin URL entries, leaking the result of a redirect, via `performance.getEntries()`. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. Una infracción de la política del mismo origen podría haber permitido el robo de entradas de URL de origen cruzado, filtrando el resultado de una redirección, a través de 'performance.getEntries()'. Esta vulnerabilidad afecta a Firefox < 106, Firefox ESR < 102.4 y Thunderbird < 102.4. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1789128 https://www.mozilla.org/security/advisories/mfsa2022-44 https://www.mozilla.org/security/advisories/mfsa2022-45 https://www.mozilla.org/security/advisories/mfsa2022-46 https://access.redhat.com/security/cve/CVE-2022-42927 https://bugzilla.redhat.com/show_bug.cgi?id=2136156 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42928 – Mozilla: Memory Corruption in JS Engine
https://notcve.org/view.php?id=CVE-2022-42928
Certain types of allocations were missing annotations that, if the Garbage Collector was in a specific state, could have lead to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 106, Firefox ESR < 102.4, and Thunderbird < 102.4. A ciertos tipos de asignaciones les faltaban anotaciones que, si el recolector de elementos no utilizados estaba en un estado específico, podrían haber provocado daños en la memoria y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox < 106, Firefox ESR < 102.4 y Thunderbird < 102.4. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1791520 https://www.mozilla.org/security/advisories/mfsa2022-44 https://www.mozilla.org/security/advisories/mfsa2022-45 https://www.mozilla.org/security/advisories/mfsa2022-46 https://access.redhat.com/security/cve/CVE-2022-42928 https://bugzilla.redhat.com/show_bug.cgi?id=2136157 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3155
https://notcve.org/view.php?id=CVE-2022-3155
When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. This vulnerability affects Thunderbird < 102.3. Al guardar o abrir un archivo adjunto de correo electrónico en macOS, Thunderbird no configuró el atributo com.apple.quarantine en el archivo recibido. Si el archivo recibido era una aplicación y el usuario intentaba abrirlo, entonces la aplicación se iniciaba inmediatamente sin pedirle confirmación al usuario. • https://bugzilla.mozilla.org/show_bug.cgi?id=1789061 https://www.mozilla.org/security/advisories/mfsa2022-42 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-40957 – Mozilla: Incoherent instruction cache when building WASM on ARM64
https://notcve.org/view.php?id=CVE-2022-40957
Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Los datos inconsistentes en las instrucciones y en el caché de datos al crear código wasm podrían provocar un fallo potencialmente explotable.<br>*Este error solo afecta a Firefox en plataformas ARM64.*. • https://bugzilla.mozilla.org/show_bug.cgi?id=1777604 https://www.mozilla.org/security/advisories/mfsa2022-40 https://www.mozilla.org/security/advisories/mfsa2022-41 https://www.mozilla.org/security/advisories/mfsa2022-42 https://access.redhat.com/security/cve/CVE-2022-40957 https://bugzilla.redhat.com/show_bug.cgi?id=2128796 • CWE-240: Improper Handling of Inconsistent Structural Elements •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-40956 – Mozilla: Content-Security-Policy base-uri bypass
https://notcve.org/view.php?id=CVE-2022-40956
When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Al inyectar un elemento base HTML, algunas solicitudes ignorarían la configuración de uri base del CSP y aceptarían la base del elemento inyectado. Esta vulnerabilidad afecta a Firefox ESR < 102.3, Thunderbird < 102.3 y Firefox < 105. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1770094 https://www.mozilla.org/security/advisories/mfsa2022-40 https://www.mozilla.org/security/advisories/mfsa2022-41 https://www.mozilla.org/security/advisories/mfsa2022-42 https://access.redhat.com/security/cve/CVE-2022-40956 https://bugzilla.redhat.com/show_bug.cgi?id=2128795 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1021: Improper Restriction of Rendered UI Layers or Frames •