CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31736 – Mozilla: Cross-Origin resource's length leaked
https://notcve.org/view.php?id=CVE-2022-31736
A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Un sitio web malicioso podría haber aprendido el tamaño de un recurso de origen cruzado que admitiera solicitudes de rango. Esta vulnerabilidad afecta a Thunderbird < 91.10, Firefox < 101 y Firefox ESR < 91.10. The Mozilla Foundation Security Advisory describes this flaw as: A malicious website that could have learned the size of a cross-origin resource that supported Range requests. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735923 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-21 https://www.mozilla.org/security/advisories/mfsa2022-22 https://access.redhat.com/security/cve/CVE-2022-31736 https://bugzilla.redhat.com/show_bug.cgi?id=2092018 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31741 – Mozilla: Uninitialized variable leads to invalid memory read
https://notcve.org/view.php?id=CVE-2022-31741
A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. Un mensaje CMS manipulado podría haberse procesado incorrectamente, lo que habría provocado una lectura de memoria no válida y, potencialmente, una mayor corrupción de la memoria. Esta vulnerabilidad afecta a Thunderbird < 91.10, Firefox < 101 y Firefox ESR < 91.10. The Mozilla Foundation Security Advisory describes this flaw as: A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. • https://bugzilla.mozilla.org/show_bug.cgi?id=1767590 https://www.mozilla.org/security/advisories/mfsa2022-20 https://www.mozilla.org/security/advisories/mfsa2022-21 https://www.mozilla.org/security/advisories/mfsa2022-22 https://access.redhat.com/security/cve/CVE-2022-31741 https://bugzilla.redhat.com/show_bug.cgi?id=2092024 • CWE-457: Use of Uninitialized Variable CWE-908: Use of Uninitialized Resource •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 1CVE-2022-1802 – Mozilla Firefox Top-Level Await Prototype Pollution Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-1802
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. Si un atacante pudo corromper los métodos de un objeto Array en JavaScript mediante la contaminación de prototipos, podría haber logrado la ejecución del código JavaScript controlado por el atacante en un contexto privilegiado. Esta vulnerabilidad afecta a Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox para Android < 100.3.0 y Thunderbird < 91.9.1. The Mozilla Foundation Security Advisory describes this flaw as: If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. • https://github.com/mistymntncop/CVE-2022-1802 https://bugzilla.mozilla.org/show_bug.cgi?id=1770137 https://www.mozilla.org/security/advisories/mfsa2022-19 https://access.redhat.com/security/cve/CVE-2022-1802 https://bugzilla.redhat.com/show_bug.cgi?id=2089217 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-1529 – Mozilla Firefox Improper Input Validation Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2022-1529
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1. Un atacante podría haber enviado un mensaje al proceso principal donde el contenido se usó para realizar un doble índice en un objeto JavaScript, lo que provocó la contaminación del prototipo y, en última instancia, la ejecución de JavaScript controlada por el atacante en el proceso principal privilegiado. Esta vulnerabilidad afecta a Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox para Android < 100.3.0 y Thunderbird < 91.9.1. The Mozilla Foundation Security Advisory describes this flaw as: An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. • https://bugzilla.mozilla.org/show_bug.cgi?id=1770048 https://www.mozilla.org/security/advisories/mfsa2022-19 https://access.redhat.com/security/cve/CVE-2022-1529 https://bugzilla.redhat.com/show_bug.cgi?id=2089218 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29915
https://notcve.org/view.php?id=CVE-2022-29915
The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100. La API de rendimiento no ocultó adecuadamente el hecho de si un recurso de solicitud de origen cruzado ha observado redireccionamientos. Esta vulnerabilidad afecta a Firefox < 100. • https://bugzilla.mozilla.org/show_bug.cgi?id=1751678 https://www.mozilla.org/security/advisories/mfsa2022-16 •