CVE-2022-22755 — Operation on a Resource after Expiration or Release in Mozilla Firefox

CWE-672 — Operation on a Resource after Expiration or Release CWE-434 — Unrestricted File Upload8 documents7 sources

Severity

8.8HIGHNVD

GHSA9.8

EPSS

0.8%

top 26.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Latest updateMay 8

Description

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds of the same-origin policy) even after the tab was closed. This vulnerability affects Firefox < 97.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/firefox< firefox 97.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 97

▶NVDmozilla/firefox< 97.0

▶Ubuntumozilla/firefox< 97.0+build2-0ubuntu0.18.04.1+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

MCMS vulnerable to arbitrary code execution via crafted thumbnail↗2023-05-08

▶

GHSA

GHSA-3w9m-vg42-8v9h: By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds o↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-02-14

▶

OSV

CVE-2022-22755: By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript (within the bounds o↗2022-02-09

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-02-14

▶

Debian

CVE-2022-22755: firefox - By using XSL Transforms, a malicious webserver could have served a user an XSL d...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-04: CVE-2022-22755↗

▶