cbcvebase.
CVE-2022-22756
published 2022-12-22

CVE-2022-22756: If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script…

PriorityP347high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.93%
56.0th percentile
If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 97.0-1 (sid)firefox 97.0-1 (sid)
debianfirefox-esr< firefox 97.0-1 (sid)firefox 97.0-1 (sid)
debianthunderbird< firefox 97.0-1 (sid)firefox 97.0-1 (sid)
mozillafirefox< 97.097.0
mozillafirefox
mozillafirefox>= 0 < 97.0+build2-0ubuntu0.18.04.197.0+build2-0ubuntu0.18.04.1
mozillafirefox>= 0 < 97.0+build2-0ubuntu0.20.04.197.0+build2-0ubuntu0.20.04.1
mozillafirefox>= unspecified < 9797
mozillafirefox_esr< 91.691.6
mozillafirefox_esr>= unspecified < 91.691.6
mozillathunderbird< 91.691.6
mozillathunderbird>= 0 < 1:91.6.0-1~deb11u11:91.6.0-1~deb11u1
mozillathunderbird>= 0 < 1:91.6.0-11:91.6.0-1
mozillathunderbird>= 0 < 1:91.6.0-11:91.6.0-1
mozillathunderbird>= 0 < 1:91.6.0-11:91.6.0-1
mozillathunderbird>= 0 < 1:91.7.0+build2-0ubuntu0.18.04.11:91.7.0+build2-0ubuntu0.18.04.1
mozillathunderbird>= 0 < 1:91.7.0+build2-0ubuntu0.20.04.11:91.7.0+build2-0ubuntu0.20.04.1
mozillathunderbird>= unspecified < 91.691.6

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.