Multiple vulnerabilities in Mozilla Firefox



Published: 2022-01-11
Risk High
Patch available YES
Number of vulnerabilities 18
CVE-ID CVE-2022-22748
CVE-2022-22751
CVE-2022-22739
CVE-2022-22736
CVE-2022-22747
CVE-2022-22744
CVE-2022-22745
CVE-2022-22749
CVE-2022-22746
CVE-2022-22750
CVE-2021-4140
CVE-2022-22737
CVE-2022-22738
CVE-2022-22740
CVE-2022-22741
CVE-2022-22742
CVE-2022-22743
CVE-2022-22752
CWE-ID CWE-451
CWE-119
CWE-254
CWE-428
CWE-20
CWE-78
CWE-200
CWE-1021
CWE-416
CWE-122
CWE-787
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Mozilla Firefox
Client/Desktop applications / Web browsers

Firefox ESR
Client/Desktop applications / Web browsers

Firefox for Android
Mobile applications / Apps for mobile phones

Vendor Mozilla

Security Bulletin

This security bulletin contains information about 18 vulnerabilities.

1) Spoofing attack

EUVDB-ID: #VU59376

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22748

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU59382

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22751

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Security features bypass

EUVDB-ID: #VU59381

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22739

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing throttling on external protocol launch dialog. A malicious websites can trick users into accepting launching a program to handle an external URL protocol.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Unquoted Search Path or Element

EUVDB-ID: #VU59380

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22736

CWE-ID: CWE-428 - Unquoted Search Path or Element

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unquoted search path in Firefox installer. A local user with ability to write files into the Firefox installation folder can place a specially crafted library and execute arbitrary code on the system.

The vulnerability affects Firefox for Windows in a non-default installation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU59379

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22747

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of empty pkcs7 sequence, passed as part of the certificate data. A remote attacker can pass specially crafted certificate to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) OS Command Injection

EUVDB-ID: #VU59378

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22744

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "Copy as curl" feature in DevTools. A remote attacker can trick the victim to cope a specially crafted link and execute arbitrary commands on the system, if copied data is pasted into a Powershell prompt.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Information disclosure

EUVDB-ID: #VU59377

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22745

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Securitypolicyviolation events leak cross-origin information for frame-ancestors violations. A remote attacker can gain access to sensitive data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU59375

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22749

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of QR codes. When scanning QR codes, Firefox for Android allows navigation to some URLs that do not point to web content.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Firefox for Android: 66.0.4, 66.0.5, 67.0, 67.0.2, 67.0.3, 68.0, 68.0.2, 68.1, 68.1.1, 68.2.0, 68.2.1, 68.3.0, 68.4.0, 68.4.1, 68.4.2, 68.5.0, 68.7.0, 68.8.0, 68.8.1, 68.10.0, 68.10.1, 79.0.0, 79.0.2, 79.0.4, 79.0.5, 80.1.2, 81.1.0, 81.1.3, 81.1.4, 81.1.5, 82.1.0, 82.1.1, 82.1.3, 83.0.0, 83.1.0, 84.1.0, 84.1.1, 84.1.2, 84.1.3, 84.1.4, 85.1.0, 85.1.1, 85.1.2, 85.1.3, 86.1.0, 86.1.1, 88.1.0, 88.1.1, 88.1.2, 88.1.3, 88.1.4, 89.1.0, 89.1.1, 90.1.0, 90.1.1, 90.1.2, 90.1.3, 91.1.0, 91.2.0, 91.3.0, 91.3.1, 91.4.0, 92.1.0, 92.1.1, 93.1.0, 93.2.0, 94.1.0, 94.1.1, 94.1.2, 95.1.0, 95.2.0

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU59366

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22746

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to a race condition when calling reportValidity. A remote attacker can trick the victim to open a specially crafted web page and bypass the fullscreen notification, which can lead to spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Security features bypass

EUVDB-ID: #VU59374

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22750

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Firefox passes resource handles across processes. A remote attacker can create a specially crafted web page that can confuse the higher privileged processes to interact with handles that the unprivileged process should not have access to.

The vulnerability affects Firefox installation on Windows and macOS only.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Security features bypass

EUVDB-ID: #VU59373

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4140

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in iframe sandbox implementation when processing XSLT markup. A remote attacker can bypass iframe sandbox and execute arbitrary JavaScript code in context of arbitrary window.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU59372

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22737

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition playing audio files. A remote attacker can construct a specially crafted audio skin, trigger a use-after-free error and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Heap-based buffer overflow

EUVDB-ID: #VU59371

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22738

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in blendGaussianBlur when applying CSS filter. A remote attacker can trick the victim to open a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free

EUVDB-ID: #VU59370

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22740

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in ChannelEventQueue::mOwner when releasing a network request handle. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU59369

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22741

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error resizing a popup while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Out-of-bounds write

EUVDB-ID: #VU59368

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22742

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input, when inserting text while in edit mode. A remote attacker can create a specially crafted website, trick the victim into opening it and insert specially crafted input in the edit mode, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0, 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper Restriction of Rendered UI Layers or Frames

EUVDB-ID: #VU59367

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22743

CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error when navigating from inside an iframe while requesting fullscreen access. A remote attacker can trick the victim to open a specially crafted web page,  and make the browser unable to leave fullscreen mode.

Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0, 80.0.1, 81.0, 81.0.1, 81.0.2, 82.0, 82.0.1, 82.0.2, 82.0.3, 83.0, 84.0, 84.0.1, 84.0.2, 85.0, 85.0.1, 85.0.2, 86.0, 86.0.1, 87.0, 88.0, 88.0.1, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1, 90.0.2, 91.0, 91.0.1, 91.0.2, 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

Firefox ESR: 91.0.1, 91.1.0, 91.2.0, 91.3.0, 91.4.0, 91.4.1

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/
http://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Buffer overflow

EUVDB-ID: #VU59383

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-22752

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 92.0, 92.0.1, 93.0, 94.0, 94.0.1, 94.0.2, 95.0, 95.0.1, 95.0.2

CPE2.3 External links

http://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###