CVE-2022-22760
published 2022-12-22CVE-2022-22760: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses…
PriorityP427medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.76%
50.7th percentile
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 97.0-1 (sid) | firefox 97.0-1 (sid) |
| debian | firefox-esr | < firefox 97.0-1 (sid) | firefox 97.0-1 (sid) |
| debian | thunderbird | < firefox 97.0-1 (sid) | firefox 97.0-1 (sid) |
| mozilla | firefox | < 97.0 | 97.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 97.0+build2-0ubuntu0.18.04.1 | 97.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 97.0+build2-0ubuntu0.20.04.1 | 97.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 97 | 97 |
| mozilla | firefox_esr | < 91.6 | 91.6 |
| mozilla | firefox_esr | >= unspecified < 91.6 | 91.6 |
| mozilla | thunderbird | < 91.6 | 91.6 |
| mozilla | thunderbird | >= 0 < 1:91.6.0-1~deb11u1 | 1:91.6.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:91.6.0-1 | 1:91.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:91.6.0-1 | 1:91.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:91.6.0-1 | 1:91.6.0-1 |
| mozilla | thunderbird | >= 0 < 1:91.7.0+build2-0ubuntu0.18.04.1 | 1:91.7.0+build2-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= 0 < 1:91.7.0+build2-0ubuntu0.20.04.1 | 1:91.7.0+build2-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= unspecified < 91.6 | 91.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2022-03-23·CVSS 8.8
CVE-2022-26386 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass security restrictions, obtain sensitive information, cause
undefined behaviour, spoof the browser UI, or execute arbitrary code.
(CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763,
CVE-2022-22764, CVE-2022-26381, CVE-2022-26383, CVE-2022-26384)
It was discovered that extensions of a particular type could auto-update
themselves and bypass the prompt that requests permissions. If a user
were tricked into installing a specially crafted extension, an attacker
coul
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2022-02-14·CVSS 8.8
CVE-2022-22754 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, obtain sensitive information, or execute arbitrary code.
(CVE-2022-0511, CVE-2022-22755, CVE-2022-22759, CVE-2022-22760,
CVE-2022-22761, CVE-2022-22764)
It was discovered that extensions of a particular type could auto-update
themselves and bypass the prompt that requests permissions. If a user
were tricked into installing a specially crafted extension, an attacker
could potentially exploit this to bypass security restrictions.
(CVE-202
Red Hat
Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types
vendor_redhat·2022-02-08·CVSS 6.5
CVE-2022-22760 [MEDIUM] CWE-829 Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types
Mozilla: Cross-Origin responses could be distinguished between script and non-script content-types
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin.
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Packa
Debian
CVE-2022-22760: firefox - When importing resources using Web Workers, error messages would distinguish the...
vendor_debian·2022·CVSS 6.5
CVE-2022-22760 [MEDIUM] CVE-2022-22760: firefox - When importing resources using Web Workers, error messages would distinguish the...
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
Scope: local
sid: resolved (fixed in 97.0-1)
Mozilla
Mozilla Foundation Security Advisory 2022-05: CVE-2022-22760
vendor_mozilla·CVSS 6.5
CVE-2022-22760 [MEDIUM] Mozilla Foundation Security Advisory 2022-05: CVE-2022-22760
Mozilla Foundation Security Advisory 2022-05
CVE: CVE-2022-22760
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 91.6
Mozilla
Mozilla Foundation Security Advisory 2022-06: CVE-2022-22760
vendor_mozilla·CVSS 6.5
CVE-2022-22760 [MEDIUM] Mozilla Foundation Security Advisory 2022-06: CVE-2022-22760
Mozilla Foundation Security Advisory 2022-06
CVE: CVE-2022-22760
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 91.6
Mozilla
Mozilla Foundation Security Advisory 2022-04: CVE-2022-22760
vendor_mozilla·CVSS 6.5
CVE-2022-22760 [MEDIUM] Mozilla Foundation Security Advisory 2022-04: CVE-2022-22760
Mozilla Foundation Security Advisory 2022-04
CVE: CVE-2022-22760
Product: Firefox
Impact: high
Fixed in: Firefox 97
VulDB
Mozilla Thunderbird up to 91.5 Web Worker information exposure (Bug 1740985 / EUVD-2022-27903)
vuldb·2026-04-29·CVSS 6.5
CVE-2022-22760 [MEDIUM] Mozilla Thunderbird up to 91.5 Web Worker information exposure (Bug 1740985 / EUVD-2022-27903)
A vulnerability was found in Mozilla Thunderbird up to 91.5. It has been declared as problematic. This affects an unknown function of the component Web Worker. Executing a manipulation can lead to information exposure through error message.
This vulnerability is handled as CVE-2022-22760. The attack can be executed remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
VulDB
Mozilla Firefox up to 96 information exposure (Bug 1740985 / EUVD-2022-27903)
vuldb·2026-04-29·CVSS 6.5
CVE-2022-22760 [MEDIUM] Mozilla Firefox up to 96 information exposure (Bug 1740985 / EUVD-2022-27903)
A vulnerability marked as problematic has been reported in Mozilla Firefox up to 96. Affected is an unknown function. This manipulation causes information exposure through error message.
This vulnerability is tracked as CVE-2022-22760. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
OSV
CVE-2022-22760: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script re
osv·2022-12-22·CVSS 6.5
CVE-2022-22760 [MEDIUM] CVE-2022-22760: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script re
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
GHSA
GHSA-mpq8-m953-pwhf: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script re
ghsa_unreviewed·2022-12-22
CVE-2022-22760 [MEDIUM] CWE-209 GHSA-mpq8-m953-pwhf: When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script re
When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
OSV
thunderbird vulnerabilities
osv·2022-03-23·CVSS 8.8
CVE-2022-22759 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass security restrictions, obtain sensitive information, cause
undefined behaviour, spoof the browser UI, or execute arbitrary code.
(CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763,
CVE-2022-22764, CVE-2022-26381, CVE-2022-26383, CVE-2022-26384)
It was discovered that extensions of a particular type could auto-update
themselves and bypass the prompt that requests permissions. If a user
were tricked into installing a specially crafted extension, an attacker
could potentially exploit this to bypass security restrictions.
(CVE-202
OSV
firefox vulnerabilities
osv·2022-02-14·CVSS 8.8
CVE-2022-0511 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, obtain sensitive information, or execute arbitrary code.
(CVE-2022-0511, CVE-2022-22755, CVE-2022-22759, CVE-2022-22760,
CVE-2022-22761, CVE-2022-22764)
It was discovered that extensions of a particular type could auto-update
themselves and bypass the prompt that requests permissions. If a user
were tricked into installing a specially crafted extension, an attacker
could potentially exploit this to bypass security restrictions.
(CVE-2022-22754)
It was discovered that dragging and dropping an image into a folder could
result in it being marked as
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1740985https://bugzilla.mozilla.org/show_bug.cgi?id=1748503https://www.mozilla.org/security/advisories/mfsa2022-04/https://www.mozilla.org/security/advisories/mfsa2022-05/https://www.mozilla.org/security/advisories/mfsa2022-06/https://bugzilla.mozilla.org/show_bug.cgi?id=1740985https://bugzilla.mozilla.org/show_bug.cgi?id=1748503https://www.mozilla.org/security/advisories/mfsa2022-04/https://www.mozilla.org/security/advisories/mfsa2022-05/https://www.mozilla.org/security/advisories/mfsa2022-06/
2022-12-22
Published