CVE-2022-22748Cross-site Scripting in Mozilla Firefox

CWE-79Cross-site ScriptingCWE-1021UI Misrepresentation / Clickjacking13 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.8
EPSS
0.4%
top 36.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified96
NVDmozilla/firefox< 96.0
CVEListV5mozilla/firefox_esrunspecified91.5
CVEListV5mozilla/thunderbirdunspecified91.5

🔴Vulnerability Details

4
CVEList
CVE-2022-22748: Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol2022-12-22
OSV
CVE-2022-22748: Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol2022-12-22
GHSA
GHSA-74mv-468m-jp37: Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol2022-12-22
OSV
thunderbird vulnerabilities2022-01-21

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2022-01-21
Ubuntu
Thunderbird vulnerabilities2022-01-21
Ubuntu
Firefox vulnerabilities2022-01-13
Red Hat
Mozilla: Spoofed origin on external protocol launch dialog2022-01-11
Debian
CVE-2022-22748: firefox - Malicious websites could have confused Firefox into showing the wrong origin whe...2022
CVE-2022-22748 — Cross-site Scripting in Mozilla | cvebase