CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22759 – Mozilla: Sandboxed iframes could have executed script if the parent appended elements
https://notcve.org/view.php?id=CVE-2022-22759
14 Feb 2022 — If a document created a sandboxed iframe without allow-scripts, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Si un documento creó un iframe en la sandboxed sin allow-scripts y posteriormente agregó un elemento al documento del iframe que, por ejemplo, tenía un controlador de ev... • https://bugzilla.mozilla.org/show_bug.cgi?id=1739957 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2022-22756 – Mozilla: Drag and dropping an image could have resulted in the dropped object being an executable
https://notcve.org/view.php?id=CVE-2022-22756
14 Feb 2022 — If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Si se convenciera a un usuario de arrastrar y soltar una imagen en su escritorio u otra carpeta, el objeto resultante podría haberse convertido en un script ejecutable que habría ejecutado código arbitrario... • https://bugzilla.mozilla.org/show_bug.cgi?id=1317873 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22760 – Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types
https://notcve.org/view.php?id=CVE-2022-22760
14 Feb 2022 — When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Al importar recursos utilizando Web Workers, los mensajes de error distinguirían la diferencia entre respuestas application/javascript y respuestas sin script. Se podría haber abu... • https://bugzilla.mozilla.org/show_bug.cgi?id=1740985 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22754 – Mozilla: Extensions could have bypassed permission confirmation during update
https://notcve.org/view.php?id=CVE-2022-22754
14 Feb 2022 — If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Si un usuario instaló una extensión de un tipo particular, la extensión podría haberse actualizado automáticamente y, al hacerlo, omitir el mensaje que otorga a la nueva versión los nuevos permisos solicitados. Esta vulnerabilida... • https://bugzilla.mozilla.org/show_bug.cgi?id=1750565 • CWE-863: Incorrect Authorization CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22763 – Mozilla: Script Execution during invalid object state
https://notcve.org/view.php?id=CVE-2022-22763
14 Feb 2022 — When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6. Cuando se apaga un trabajador, era posible hacer que el script se ejecutara tarde en el ciclo de vida, en un punto posterior al que no debería ser posible. Esta vulnerabilidad afecta a Firefox < 96, Thunderbird< 91.6 y Firefox ESR < 91.6. The Mozilla Foundation Security Advisory... • https://bugzilla.mozilla.org/show_bug.cgi?id=1740534 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22764 – Mozilla: Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
https://notcve.org/view.php?id=CVE-2022-22764
14 Feb 2022 — Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96 and Firefox ESR 91.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. Los desarrolladores de Mozilla, Paul Adenot y Mozilla Fuzzing Team, informaron sobre errores de seguridad de la memoria presentes en Fire... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742682%2C1744165%2C1746545%2C1748210%2C1748279 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0511 – Ubuntu Security Notice USN-5284-1
https://notcve.org/view.php?id=CVE-2022-0511
14 Feb 2022 — Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97. Los desarrolladores de Mozilla y miembros de la comunidad Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1713579%2C1735448%2C1743821%2C1746313%2C1746314%2C1746316%2C1746321%2C1746322%2C1746323%2C1746412%2C1746430%2C1746451%2C1746488%2C1746875%2C1746898%2C1746905%2C1746907%2C1746917%2C1747128%2C1747137%2C1747331%2C1747346%2C1747439%2C1747457%2C1747870%2C1749051%2C1749274%2C1749831 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22752 – Ubuntu Security Notice USN-5229-1
https://notcve.org/view.php?id=CVE-2022-22752
14 Jan 2022 — Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 96. Los desarrolladores de Mozilla, Christian Holler y Jason Kratzer, informaron sobre errores de seguridad de la memoria presentes en Firefox 95. Algunos de estos errores mostraron evidencia de corrupción de la ... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1741210%2C1742770 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22745 – Mozilla: Leaking cross-origin URLs through securitypolicyviolation event
https://notcve.org/view.php?id=CVE-2022-22745
13 Jan 2022 — Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Los eventos de violación de la política de seguridad podrían haber filtrado información de origen cruzado sobre violaciones de los ancestros del frame. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735856 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 1CVE-2022-22737 – Mozilla: Race condition when playing audio files
https://notcve.org/view.php?id=CVE-2022-22737
13 Jan 2022 — Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. La construcción de receptores de audio podría haber provocado una condición de ejecución al reproducir archivos de audio y cerrar ventanas. Esto podría haber dado lugar a un use-after-free que provocaría un bloqueo potencialmente explotab... • https://bugzilla.mozilla.org/show_bug.cgi?id=1745874 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •