CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1520 – Mozilla: Incorrect security status shown after viewing an attached email
https://notcve.org/view.php?id=CVE-2022-1520
When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9. Al visualizar un mensaje de correo electrónico A, que contiene un mensaje B adjunto, donde B está cifrado o firmado digitalmente o ambos, Thunderbird puede mostrar un estado de cifrado o firma incorrecto. Después de abrir y ver el mensaje B adjunto, al regresar a la visualización del mensaje A, es posible que el mensaje A se muestre con el estado de seguridad del mensaje B. • https://bugzilla.mozilla.org/show_bug.cgi?id=1745019 https://www.mozilla.org/security/advisories/mfsa2022-18 https://access.redhat.com/security/cve/CVE-2022-1520 https://bugzilla.redhat.com/show_bug.cgi?id=2082037 • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29909 – Mozilla: Bypassing permission prompt in nested browsing contexts
https://notcve.org/view.php?id=CVE-2022-29909
Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Los documentos en contextos de navegación entre orígenes profundamente anidados podrían haber obtenido permisos otorgados al origen de nivel superior, omitiendo el mensaje existente y heredando erróneamente los permisos de nivel superior. Esta vulnerabilidad afecta a Thunderbird < 91.9, Firefox ESR < 91.9 y Firefox < 100. The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. • https://bugzilla.mozilla.org/show_bug.cgi?id=1755081 https://www.mozilla.org/security/advisories/mfsa2022-16 https://www.mozilla.org/security/advisories/mfsa2022-17 https://www.mozilla.org/security/advisories/mfsa2022-18 https://access.redhat.com/security/cve/CVE-2022-29909 https://bugzilla.redhat.com/show_bug.cgi?id=2081469 • CWE-276: Incorrect Default Permissions CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29911 – Mozilla: iframe Sandbox bypass
https://notcve.org/view.php?id=CVE-2022-29911
An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Una implementación incorrecta de la nueva palabra clave de iframe sandbox <code>allow-top-navigation-by-user-activation</code> podría provocar la ejecución del script sin que <code>allow-scripts</code> esté presente. Esta vulnerabilidad afecta a Thunderbird < 91.9, Firefox ESR < 91.9 y Firefox < 100. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1761981 https://www.mozilla.org/security/advisories/mfsa2022-16 https://www.mozilla.org/security/advisories/mfsa2022-17 https://www.mozilla.org/security/advisories/mfsa2022-18 https://access.redhat.com/security/cve/CVE-2022-29911 https://bugzilla.redhat.com/show_bug.cgi?id=2081471 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-29912 – Mozilla: Reader mode bypassed SameSite cookies
https://notcve.org/view.php?id=CVE-2022-29912
Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Las solicitudes iniciadas a través del modo lector no omitieron correctamente las cookies con un atributo SameSite. Esta vulnerabilidad afecta a Thunderbird < 91.9, Firefox ESR < 91.9 y Firefox < 100. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1692655 https://www.mozilla.org/security/advisories/mfsa2022-16 https://www.mozilla.org/security/advisories/mfsa2022-17 https://www.mozilla.org/security/advisories/mfsa2022-18 https://access.redhat.com/security/cve/CVE-2022-29912 https://bugzilla.redhat.com/show_bug.cgi?id=2081472 • CWE-565: Reliance on Cookies without Validation and Integrity Checking CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29914 – Mozilla: Fullscreen notification bypass using popups
https://notcve.org/view.php?id=CVE-2022-29914
When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. Al reutilizar ventanas emergentes existentes, Firefox les habría permitido cubrir la interfaz de usuario de notificación en pantalla completa, lo que podría haber permitido ataques de suplantación de identidad del navegador. Esta vulnerabilidad afecta a Thunderbird < 91.9, Firefox ESR < 91.9 y Firefox < 100. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1746448 https://www.mozilla.org/security/advisories/mfsa2022-16 https://www.mozilla.org/security/advisories/mfsa2022-17 https://www.mozilla.org/security/advisories/mfsa2022-18 https://access.redhat.com/security/cve/CVE-2022-29914 https://bugzilla.redhat.com/show_bug.cgi?id=2081468 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •