CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22745 – Mozilla: Leaking cross-origin URLs through securitypolicyviolation event
https://notcve.org/view.php?id=CVE-2022-22745
Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Los eventos de violación de la política de seguridad podrían haber filtrado información de origen cruzado sobre violaciones de los ancestros del frame. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735856 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 https://access.redhat.com/security/cve/CVE-2022-22745 https://bugzilla.redhat.com/show_bug.cgi?id=2039570 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22747 – Mozilla: Crash when handling empty pkcs7 sequence
https://notcve.org/view.php?id=CVE-2022-22747
After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Después de aceptar un certificado que no es de confianza, manejar una secuencia pkcs7 vacía como parte de los datos del certificado podría haber provocado un bloqueo. Se cree que este accidente no es explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735028 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 https://access.redhat.com/security/cve/CVE-2022-22747 https://bugzilla.redhat.com/show_bug.cgi?id=2039572 • CWE-295: Improper Certificate Validation CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-22748 – Mozilla: Spoofed origin on external protocol launch dialog
https://notcve.org/view.php?id=CVE-2022-22748
Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Los sitios web maliciosos podrían haber confundido a Firefox al mostrar el origen incorrecto al solicitar iniciar un programa y manejar un protocolo URL externo. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1705211 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 https://access.redhat.com/security/cve/CVE-2022-22748 https://bugzilla.redhat.com/show_bug.cgi?id=2039569 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22751 – Mozilla: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5
https://notcve.org/view.php?id=CVE-2022-22751
Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Los desarrolladores de Mozilla, Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke y Steve Fink informaron sobre errores de seguridad de la memoria presentes en Firefox 95 y Firefox ESR 91.4. Algunos de estos errores mostraron evidencia de corrupción de memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haberse aprovechado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1664149%2C1737816%2C1739366%2C1740274%2C1740797%2C1741201%2C1741869%2C1743221%2C1743515%2C1745373%2C1746011 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 https://access.redhat.com/security/cve/CVE-2022-22751 https://bugzilla.redhat.com/show_bug.cgi?id=2039574 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2021-4140 – Mozilla: Iframe sandbox bypass with XSLT
https://notcve.org/view.php?id=CVE-2021-4140
It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5. Fue posible construir un marcado XSLT específico que podría omitir un entorno limitado de iframe. Esta vulnerabilidad afecta a Firefox ESR < 91.5, Firefox < 96 y Thunderbird < 91.5. The Mozilla Foundation Security Advisory describes this flaw as: It was possible to construct specific XSLT markups that would enable someone to bypass an iframe sandbox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1746720 https://www.mozilla.org/security/advisories/mfsa2022-01 https://www.mozilla.org/security/advisories/mfsa2022-02 https://www.mozilla.org/security/advisories/mfsa2022-03 https://access.redhat.com/security/cve/CVE-2021-4140 https://bugzilla.redhat.com/show_bug.cgi?id=2039568 • CWE-91: XML Injection (aka Blind XPath Injection) CWE-1021: Improper Restriction of Rendered UI Layers or Frames •