CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22758
https://notcve.org/view.php?id=CVE-2022-22758
When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97. • https://bugzilla.mozilla.org/show_bug.cgi?id=1728742 https://www.mozilla.org/security/advisories/mfsa2022-04 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31739
https://notcve.org/view.php?id=CVE-2022-31739
When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Al descargar archivos en Windows, el carácter % no se escapaba, lo que podría haber provocado que una descarga se guardara incorrectamente en rutas influenciadas por el atacante que utilizaban variables como %HOMEPATH% o %APPDATA%. • https://bugzilla.mozilla.org/show_bug.cgi?id=1765049 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-21 https://www.mozilla.org/security/advisories/mfsa2022-22 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34482
https://notcve.org/view.php?id=CVE-2022-34482
An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102. Un atacante que podría haber convencido a un usuario de arrastrar y soltar una imagen en un sistema de archivos podría haber manipulado el nombre del archivo resultante para que contuviera una extensión ejecutable y, por extensión, potencialmente engañar al usuario para que ejecutara código malicioso. Si bien es muy similar, este es un problema separado de CVE-2022-34483. • https://bugzilla.mozilla.org/show_bug.cgi?id=845880 https://www.mozilla.org/security/advisories/mfsa2022-24 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31745
https://notcve.org/view.php?id=CVE-2022-31745
If array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101. Si no se utilizan operaciones de cambio de matriz, es posible que el recolector de basura se haya confundido acerca de los objetos válidos. Esta vulnerabilidad afecta a Firefox < 101. • https://bugzilla.mozilla.org/show_bug.cgi?id=1760944 https://www.mozilla.org/security/advisories/mfsa2022-20 • CWE-129: Improper Validation of Array Index •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34475
https://notcve.org/view.php?id=CVE-2022-34475
SVG <code><use></code> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed. This vulnerability affects Firefox < 102. Las etiquetas SVG <code></code> que hacían referencia a un documento del mismo origen podrían haber dado lugar a la ejecución de un script si la entrada del atacante se hubiera sanitizado a través de la API HTML Sanitizer. Esto habría requerido que el atacante hiciera referencia a un archivo JavaScript del mismo origen que contenía el script a ejecutar. • https://bugzilla.mozilla.org/show_bug.cgi?id=1757210 https://www.mozilla.org/security/advisories/mfsa2022-24 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •