CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-45413
https://notcve.org/view.php?id=CVE-2022-45413
Using the <code>S.browser_fallback_url parameter</code> parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.<br>*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects Firefox < 107. • https://bugzilla.mozilla.org/show_bug.cgi?id=1791201 https://www.mozilla.org/security/advisories/mfsa2022-47 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45410 – Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy
https://notcve.org/view.php?id=CVE-2022-45410
When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. Cuando un ServiceWorker interceptó una solicitud con <code>FetchEvent</code>, el origen de la solicitud se perdió después de que ServiceWorker tomó posesión de ella. • https://bugzilla.mozilla.org/show_bug.cgi?id=1658869 https://www.mozilla.org/security/advisories/mfsa2022-47 https://www.mozilla.org/security/advisories/mfsa2022-48 https://www.mozilla.org/security/advisories/mfsa2022-49 https://access.redhat.com/security/cve/CVE-2022-45410 https://bugzilla.redhat.com/show_bug.cgi?id=2143203 • CWE-1275: Sensitive Cookie with Improper SameSite Attribute •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3266 – Mozilla: Out of bounds read when decoding H264
https://notcve.org/view.php?id=CVE-2022-3266
An out-of-bounds read can occur when decoding H264 video. This results in a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. Puede ocurrir una lectura fuera de los límites al decodificar video H264. Esto da como resultado un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1767360 https://www.mozilla.org/security/advisories/mfsa2022-40 https://www.mozilla.org/security/advisories/mfsa2022-41 https://www.mozilla.org/security/advisories/mfsa2022-42 https://access.redhat.com/security/cve/CVE-2022-3266 https://bugzilla.redhat.com/show_bug.cgi?id=2157739 • CWE-125: Out-of-bounds Read •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42931
https://notcve.org/view.php?id=CVE-2022-42931
Logins saved by Firefox should be managed by the Password Manager component which uses encryption to save files on-disk. Instead, the username (not password) was saved by the Form Manager to an unencrypted file on disk. This vulnerability affects Firefox < 106. Los inicios de sesión guardados por Firefox deben ser administrados por el componente Administrador de contraseñas, que utiliza cifrado para guardar archivos en el disco. En cambio, el Administrador de formularios guardó el nombre de usuario (no la contraseña) en un archivo no cifrado en el disco. • https://bugzilla.mozilla.org/show_bug.cgi?id=1780571 https://www.mozilla.org/security/advisories/mfsa2022-44 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42930
https://notcve.org/view.php?id=CVE-2022-42930
If two Workers were simultaneously initializing their CacheStorage, a data race could have occurred in the `ThirdPartyUtil` component. This vulnerability affects Firefox < 106. Si dos trabajadores inicializaran simultáneamente su CacheStorage, podría haberse producido una "carrera" de datos en el componente 'ThirdPartyUtil'. Esta vulnerabilidad afecta a Firefox < 106. • https://bugzilla.mozilla.org/show_bug.cgi?id=1789503 https://www.mozilla.org/security/advisories/mfsa2022-44 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •