#VU63502 Input validation error in Mozilla products - CVE-2022-1529
Published: May 21, 2022 / Updated: May 27, 2022
Vulnerability identifier: #VU63502
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-1529
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla Firefox
Firefox ESR
Firefox for Android
Mozilla Firefox
Firefox ESR
Firefox for Android
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input within the NotificationsDB module. A remote attacker can trick the victim to visit a specially crafted web page, which passes malicious messages to the parent process where the contents is used to double-index into a JavaScript object. As a result, an attacker can perform prototype pollution and execute arbitrary JavaScript code in the privileged parent process.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Remediation
Install updates from vendor's website.