‼ CVE-2022-22760 ‼
📖 Read
via "National Vulnerability Database".
When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22748 ‼
📖 Read
via "National Vulnerability Database".
Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35646 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Governance, Identity Manager 10.0.1 software component could allow an authenticated user to modify or cancel any other user's access request using man-in-the-middle techniques. IBM X-Force ID: 231096.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31741 ‼
📖 Read
via "National Vulnerability Database".
A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45407 ‼
📖 Read
via "National Vulnerability Database".
If an attacker loaded a font using <code>FontFace()</code> on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash. This vulnerability affects Firefox < 107.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46883 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.<br />*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107. This vulnerability affects Firefox < 107.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40961 ‼
📖 Read
via "National Vulnerability Database".
During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash.<br>*This issue only affects Firefox for Android. Other operating systems are not affected.*. This vulnerability affects Firefox < 105.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45414 ‼
📖 Read
via "National Vulnerability Database".
If a Thunderbird user quoted from an HTML email, for example by replying to the email, and the email contained either a VIDEO tag with the POSTER attribute or an OBJECT tag with a DATA attribute, a network request to the referenced remote URL was performed, regardless of a configuration to block remote content. An image loaded from the POSTER attribute was shown in the composer window. These issues could have given an attacker additional capabilities when targetting releases that did not yet have a fix for CVE-2022-3033 which was reported around three months ago. This vulnerability affects Thunderbird < 102.5.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29918 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 100.📖 Read
via "National Vulnerability Database".
🕴 Inside The Next-Level Fraud Ring Scamming Billions Off Holiday Retailers 🕴
📖 Read
via "Dark Reading".
"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.📖 Read
via "Dark Reading".
Dark Reading
Inside the Next-Level Fraud Ring Scamming Billions Off Holiday Retailers
"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.
‼ CVE-2022-34480 ‼
📖 Read
via "National Vulnerability Database".
Within the <code>lg_init()</code> function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated. This vulnerability affects Firefox < 102.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46882 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free in WebGL extensions could have led to a potentially exploitable crash. This vulnerability affects Firefox < 107, Firefox ESR < 102.6, and Thunderbird < 102.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42929 ‼
📖 Read
via "National Vulnerability Database".
If a website called <code>window.print()</code> in a particular way, it could cause a denial of service of the browser, which may persist beyond browser restart depending on the user's session restore settings. This vulnerability affects Thunderbird < 102.4, Firefox ESR < 102.4, and Firefox < 106.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45412 ‼
📖 Read
via "National Vulnerability Database".
When resolving a symlink such as <code>file:///proc/self/fd/1</code>, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer. <br>*This bug only affects Thunderbird on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected.*. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46872 ‼
📖 Read
via "National Vulnerability Database".
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages.<br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 108, Firefox ESR < 102.6, and Thunderbird < 102.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46873 ‼
📖 Read
via "National Vulnerability Database".
Because Firefox did not implement the <code>unsafe-hashes</code> CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. This would be severely constrained by the specified Content Security Policy of the document. This vulnerability affects Firefox < 108.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31736 ‼
📖 Read
via "National Vulnerability Database".
A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0843 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 98.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3034 ‼
📖 Read
via "National Vulnerability Database".
When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38472 ‼
📖 Read
via "National Vulnerability Database".
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40962 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers Nika Layzell, Timothy Nikkel, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 104 and Firefox ESR 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.📖 Read
via "National Vulnerability Database".