CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22763 – Mozilla: Script Execution during invalid object state
https://notcve.org/view.php?id=CVE-2022-22763
14 Feb 2022 — When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6. Cuando se apaga un trabajador, era posible hacer que el script se ejecutara tarde en el ciclo de vida, en un punto posterior al que no debería ser posible. Esta vulnerabilidad afecta a Firefox < 96, Thunderbird< 91.6 y Firefox ESR < 91.6. The Mozilla Foundation Security Advisory... • https://bugzilla.mozilla.org/show_bug.cgi?id=1740534 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0511 – Ubuntu Security Notice USN-5284-1
https://notcve.org/view.php?id=CVE-2022-0511
14 Feb 2022 — Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97. Los desarrolladores de Mozilla y miembros de la comunidad Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1713579%2C1735448%2C1743821%2C1746313%2C1746314%2C1746316%2C1746321%2C1746322%2C1746323%2C1746412%2C1746430%2C1746451%2C1746488%2C1746875%2C1746898%2C1746905%2C1746907%2C1746917%2C1747128%2C1747137%2C1747331%2C1747346%2C1747439%2C1747457%2C1747870%2C1749051%2C1749274%2C1749831 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22761 – Mozilla: frame-ancestors Content Security Policy directive was not enforced for framed extension pages
https://notcve.org/view.php?id=CVE-2022-22761
14 Feb 2022 — Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Las páginas de extensión accesibles desde la web (páginas con un esquema moz-extension://) no aplicaban correctamente la directiva frame-ancestors cuando se usaba en la Política de seguridad de contenido de la extensión web. Esta vul... • https://bugzilla.mozilla.org/show_bug.cgi?id=1745566 • CWE-693: Protection Mechanism Failure CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22764 – Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
https://notcve.org/view.php?id=CVE-2022-22764
14 Feb 2022 — Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Los desarrolladores de Mozilla, Paul Adenot y Mozilla Fuzzing Team, informaron sobre errores de seguridad de la memoria presentes en Fire... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22754 – Mozilla: Extensions could have bypassed permission confirmation during update
https://notcve.org/view.php?id=CVE-2022-22754
14 Feb 2022 — If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Si un usuario instaló una extensión de un tipo particular, la extensión podría haberse actualizado automáticamente y, al hacerlo, omitir el mensaje que otorga a la nueva versión los nuevos permisos solicitados. Esta vulnerabilida... • https://bugzilla.mozilla.org/show_bug.cgi?id=1750565 • CWE-863: Incorrect Authorization CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22757 – Ubuntu Security Notice USN-5284-1
https://notcve.org/view.php?id=CVE-2022-22757
14 Feb 2022 — Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97. El agente remoto, utilizado en WebDriver, no validó los encabezados Host u Origin. • https://bugzilla.mozilla.org/show_bug.cgi?id=1720098 • CWE-345: Insufficient Verification of Data Authenticity CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22759 – Mozilla: Sandboxed iframes could have executed script if the parent appended elements
https://notcve.org/view.php?id=CVE-2022-22759
14 Feb 2022 — If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Si un documento creó un iframe en la sandboxed sin allow-scripts y posteriormente agregó un elemento al documento del iframe que, por ejemplo, tenía un controlador de ev... • https://bugzilla.mozilla.org/show_bug.cgi?id=1739957 • CWE-693: Protection Mechanism Failure CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22752 – Ubuntu Security Notice USN-5229-1
https://notcve.org/view.php?id=CVE-2022-22752
14 Jan 2022 — Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 96. Los desarrolladores de Mozilla, Christian Holler y Jason Kratzer, informaron sobre errores de seguridad de la memoria presentes en Firefox 95. Algunos de estos errores mostraron evidencia de corrupción de la ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1741210%2C1742770 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-22748 – Mozilla: Spoofed origin on external protocol launch dialog
https://notcve.org/view.php?id=CVE-2022-22748
13 Jan 2022 — Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Los sitios web maliciosos podrían haber confundido a Firefox al mostrar el origen incorrecto al solicitar iniciar un programa y manejar un protocolo URL externo. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. A flaw was found in Mozi... • https://bugzilla.mozilla.org/show_bug.cgi?id=1705211 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2021-4140 – Mozilla: Iframe sandbox bypass with XSLT
https://notcve.org/view.php?id=CVE-2021-4140
13 Jan 2022 — It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Fue posible construir un marcado XSLT específico que podría omitir un entorno limitado de iframe. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. The Mozilla Foundation Security Advisory describes this flaw as: It was possible to construct specific XSLT markups that would enable some... • https://bugzilla.mozilla.org/show_bug.cgi?id=1746720 • CWE-91: XML Injection (aka Blind XPath Injection) CWE-1021: Improper Restriction of Rendered UI Layers or Frames •