CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-38478 – Mozilla: Memory safety bugs fixed in Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13
https://notcve.org/view.php?id=CVE-2022-38478
Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104. Los miembros del equipo Mozilla Fuzzing informaron errores de seguridad de la memoria presentes en Firefox 103, Firefox ESR 102.1 y Firefox ESR 91.12. Algunos de estos errores mostraron evidencia de corrupción de memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haberse aprovechado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1770630%2C1776658 https://www.mozilla.org/security/advisories/mfsa2022-33 https://www.mozilla.org/security/advisories/mfsa2022-34 https://www.mozilla.org/security/advisories/mfsa2022-35 https://www.mozilla.org/security/advisories/mfsa2022-36 https://www.mozilla.org/security/advisories/mfsa2022-37 https://access.redhat.com/security/cve/CVE-2022-38478 https://bugzilla.redhat.com/show_bug.cgi?id=2120696 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26382
https://notcve.org/view.php?id=CVE-2022-26382
While the text displayed in Autofill tooltips cannot be directly read by JavaScript, the text was rendered using page fonts. Side-channel attacks on the text by using specially crafted fonts could have lead to this text being inferred by the webpage. This vulnerability affects Firefox < 98. Si bien JavaScript no puede leer directamente el texto que se muestra en la información sobre herramientas de Autocompletar, el texto se representó utilizando fuentes de página. Los ataques de canal lateral al texto mediante el uso de fuentes especialmente manipuladas podrían haber llevado a que la página web infiera este texto. • https://bugzilla.mozilla.org/show_bug.cgi?id=1741888 https://www.mozilla.org/security/advisories/mfsa2022-10 • CWE-203: Observable Discrepancy •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26385
https://notcve.org/view.php?id=CVE-2022-26385
In unusual circumstances, an individual thread may outlive the thread's manager during shutdown. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 98. En circunstancias inusuales, un subproceso individual puede sobrevivir al administrador del subproceso durante el cierre. Esto podría haber llevado a un use-after-free que provocó un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1747526 https://www.mozilla.org/security/advisories/mfsa2022-10 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-2505 – Mozilla: Memory safety bugs fixed in Firefox 103 and 102.1
https://notcve.org/view.php?id=CVE-2022-2505
Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1. Los desarrolladores de Mozilla y el equipo Mozilla Fuzzing informaron errores de seguridad de la memoria presentes en Firefox 102. Algunos de estos errores mostraron evidencia de corrupción de la memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haberse aprovechado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1769739%2C1772824 https://www.mozilla.org/security/advisories/mfsa2022-28 https://www.mozilla.org/security/advisories/mfsa2022-30 https://www.mozilla.org/security/advisories/mfsa2022-32 https://access.redhat.com/security/cve/CVE-2022-2505 https://bugzilla.redhat.com/show_bug.cgi?id=2111910 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-36318 – Mozilla: Directory indexes for bundled resources reflected URL parameters
https://notcve.org/view.php?id=CVE-2022-36318
When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12. Al visitar listados de directorios para URL `chrome://` como texto fuente, se reflejaron algunos parámetros. Esta vulnerabilidad afecta a Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird< 102.1 y Thunderbird < 91.12. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1771774 https://www.mozilla.org/security/advisories/mfsa2022-28 https://www.mozilla.org/security/advisories/mfsa2022-29 https://www.mozilla.org/security/advisories/mfsa2022-30 https://www.mozilla.org/security/advisories/mfsa2022-31 https://www.mozilla.org/security/advisories/mfsa2022-32 https://access.redhat.com/security/cve/CVE-2022-36318 https://bugzilla.redhat.com/show_bug.cgi?id=2111908 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •