CVE-2022-34470 – Mozilla: Use-after-free in nsSHistory
https://notcve.org/view.php?id=CVE-2022-34470
Session history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Las navegaciones del historial de sesiones pueden haber provocado un bloqueo de use-after-free y potencialmente explotable. Esta vulnerabilidad afecta a Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102 y Thunderbird < 91.11. The Mozilla Foundation Security Advisory describes this flaw as: Session history navigations may have led to a use-after-free and potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1765951 https://www.mozilla.org/security/advisories/mfsa2022-24 https://www.mozilla.org/security/advisories/mfsa2022-25 https://www.mozilla.org/security/advisories/mfsa2022-26 https://access.redhat.com/security/cve/CVE-2022-34470 https://bugzilla.redhat.com/show_bug.cgi?id=2102162 • CWE-416: Use After Free •
CVE-2022-2200 – Mozilla: Undesired attributes could be set as part of prototype pollution
https://notcve.org/view.php?id=CVE-2022-2200
If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Si un atacante corrompiera el prototipo de un objeto, habría podido establecer atributos no deseados en un objeto JavaScript, lo que habría llevado a la ejecución de código privilegiado. Esta vulnerabilidad afecta a Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102 y Thunderbird < 91.11. The Mozilla Foundation Security Advisory describes this flaw as: If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1771381 https://www.mozilla.org/security/advisories/mfsa2022-24 https://www.mozilla.org/security/advisories/mfsa2022-25 https://www.mozilla.org/security/advisories/mfsa2022-26 https://access.redhat.com/security/cve/CVE-2022-2200 https://bugzilla.redhat.com/show_bug.cgi?id=2102168 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2022-34472 – Mozilla: Unavailable PAC file resulted in OCSP requests being blocked
https://notcve.org/view.php?id=CVE-2022-34472
If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11. Si hubiera una URL de PAC configurada y no se pudiera acceder al servidor que aloja el PAC, las solicitudes de OCSP se habrían bloqueado, lo que provocaría que se mostraran páginas de error incorrectas. Esta vulnerabilidad afecta a Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102 y Thunderbird < 91.11. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1770123 https://www.mozilla.org/security/advisories/mfsa2022-24 https://www.mozilla.org/security/advisories/mfsa2022-25 https://www.mozilla.org/security/advisories/mfsa2022-26 https://access.redhat.com/security/cve/CVE-2022-34472 https://bugzilla.redhat.com/show_bug.cgi?id=2102166 • CWE-393: Return of Wrong Status Code •
CVE-2022-31744 – Mozilla: CSP bypass enabling stylesheet injection
https://notcve.org/view.php?id=CVE-2022-31744
An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101. Un atacante podría haber inyectado CSS en hojas de estilo accesibles a través de URI internos, como recurso:, y al hacerlo eludir la Política de seguridad de contenido de una página. Esta vulnerabilidad afecta a Firefox ESR < 91.11, Thunderbird < 102, Thunderbird< 91.11 y Firefox < 101. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1757604 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-25 https://www.mozilla.org/security/advisories/mfsa2022-26 https://access.redhat.com/security/cve/CVE-2022-31744 https://bugzilla.redhat.com/show_bug.cgi?id=2102165 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-31738 – Mozilla: Browser window spoof using fullscreen mode
https://notcve.org/view.php?id=CVE-2022-31738
When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Al salir del modo de pantalla completa, un iframe podría haber confundido al navegador sobre el estado actual de la pantalla completa, lo que podría generar confusión en el usuario o ataques de suplantación de identidad. Esta vulnerabilidad afecta a Thunderbird < 91.10, Firefox < 101 y Firefox ESR < 91.10. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1756388 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-21 https://www.mozilla.org/security/advisories/mfsa2022-22 https://access.redhat.com/security/cve/CVE-2022-31738 https://bugzilla.redhat.com/show_bug.cgi?id=2092021 • CWE-290: Authentication Bypass by Spoofing CWE-1021: Improper Restriction of Rendered UI Layers or Frames •