CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34471
https://notcve.org/view.php?id=CVE-2022-34471
When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version. This vulnerability affects Firefox < 102. Al descargar una actualización para un complemento, no se verificó que la versión de la actualización del complemento descargada coincidiera con la versión seleccionada en el manifiesto. Si el manifiesto hubiera sido manipulado en el servidor, un atacante podría engañar al navegador para que degradara el complemento a una versión anterior. • https://bugzilla.mozilla.org/show_bug.cgi?id=1766047 https://www.mozilla.org/security/advisories/mfsa2022-24 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22755
https://notcve.org/view.php?id=CVE-2022-22755
By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97. Al utilizar transformaciones XSL, un servidor web malicioso podría haber entregado a un usuario un documento XSL que continuaría ejecutando JavaScript (dentro de los límites de la política del mismo origen) incluso después de cerrar la pestaña. Esta vulnerabilidad afecta a Firefox < 97. • https://bugzilla.mozilla.org/show_bug.cgi?id=1309630 https://www.mozilla.org/security/advisories/mfsa2022-04 • CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36315
https://notcve.org/view.php?id=CVE-2022-36315
When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103. Al cargar un script con Subresource Integrity, los atacantes con capacidad de inyección podrían desencadenar la reutilización de entradas previamente almacenadas en caché con metadatos de integridad incorrectos y diferentes. Esta vulnerabilidad afecta a Firefox < 103. • https://bugzilla.mozilla.org/show_bug.cgi?id=1762520 https://www.mozilla.org/security/advisories/mfsa2022-28 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 1CVE-2022-22753
https://notcve.org/view.php?id=CVE-2022-22753
A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. • https://bugzilla.mozilla.org/show_bug.cgi?id=1732435 https://www.mozilla.org/security/advisories/mfsa2022-04 https://www.mozilla.org/security/advisories/mfsa2022-05 https://www.mozilla.org/security/advisories/mfsa2022-06 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22758
https://notcve.org/view.php?id=CVE-2022-22758
When clicking on a tel: link, USSD codes, specified after a <code>\*</code> character, would be included in the phone number. On certain phones, or on certain carriers, if the number was dialed this could perform actions on a user's account, similar to a cross-site request forgery attack.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97. • https://bugzilla.mozilla.org/show_bug.cgi?id=1728742 https://www.mozilla.org/security/advisories/mfsa2022-04 • CWE-319: Cleartext Transmission of Sensitive Information •