CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-22143 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-22143
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) El paquete convict versiones anteriores a 6.2.2, son vulnerables a una Contaminación de Prototipos por medio de la función convict debido a la falta de comprobación de parentKey. **Nota:** Esta vulnerabilidad deriva de una corrección incompleta de otra [vulnerabilidad](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508) • https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569 https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880 https://snyk.io/vuln/SNYK-JS-CONVICT-2340604 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1197 – Mozilla: OpenPGP revocation information was ignored
https://notcve.org/view.php?id=CVE-2022-1197
When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected. This vulnerability affects Thunderbird < 91.8. Al importar una clave revocada que especificaba el compromiso de la clave como motivo de revocación, Thunderbird no actualizaba la copia existente de la clave que aún no había sido revocada y la clave existente se mantenía como no revocada. Las declaraciones de revocación que utilizaban otro motivo de revocación o que no especificaban un motivo de revocación no se vieron afectadas. • https://bugzilla.mozilla.org/show_bug.cgi?id=1754985 https://www.mozilla.org/security/advisories/mfsa2022-15 https://access.redhat.com/security/cve/CVE-2022-1197 https://bugzilla.redhat.com/show_bug.cgi?id=2072963 • CWE-295: Improper Certificate Validation •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 4CVE-2022-28286 – Mozilla: iframe contents could be rendered outside the border
https://notcve.org/view.php?id=CVE-2022-28286
Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. Debido a un cambio de diseño, es posible que el contenido del iframe se haya representado fuera de su borde. Esto podría haber provocado confusión en el usuario o ataques de suplantación de identidad. • https://bugzilla.mozilla.org/show_bug.cgi?id=1735265 https://www.mozilla.org/security/advisories/mfsa2022-13 https://www.mozilla.org/security/advisories/mfsa2022-14 https://www.mozilla.org/security/advisories/mfsa2022-15 https://access.redhat.com/security/cve/CVE-2022-28286 https://bugzilla.redhat.com/show_bug.cgi?id=2072564 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-1196 – Mozilla: Use-after-free after VR Process destruction
https://notcve.org/view.php?id=CVE-2022-1196
After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8. Después de que se destruye un proceso de realidad virtual, es posible que se haya conservado y utilizado una referencia al mismo, lo que ha provocado un bloqueo de un use-after-free y potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird < 91.8 y Firefox ESR < 91.8. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1750679 https://www.mozilla.org/security/advisories/mfsa2022-14 https://www.mozilla.org/security/advisories/mfsa2022-15 https://access.redhat.com/security/cve/CVE-2022-1196 https://bugzilla.redhat.com/show_bug.cgi?id=2072561 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 4CVE-2022-28285 – Mozilla: Incorrect AliasSet used in JIT Codegen
https://notcve.org/view.php?id=CVE-2022-28285
When generating the assembly code for <code>MLoadTypedArrayElementHole</code>, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. Al generar el código ensamblador para <code>MLoadTypedArrayElementHole</code>, se utilizó un AliasSet incorrecto. Junto con otra vulnerabilidad, esto podría haberse utilizado para una lectura de memoria fuera de los límites. • https://bugzilla.mozilla.org/show_bug.cgi?id=1756957 https://www.mozilla.org/security/advisories/mfsa2022-13 https://www.mozilla.org/security/advisories/mfsa2022-14 https://www.mozilla.org/security/advisories/mfsa2022-15 https://access.redhat.com/security/cve/CVE-2022-28285 https://bugzilla.redhat.com/show_bug.cgi?id=2072563 • CWE-125: Out-of-bounds Read •