CVE-2022-28283 — Files or Directories Accessible to External Parties in Mozilla Firefox

CWE-552 — Files or Directories Accessible to External Parties CWE-1321 — Prototype Pollution8 documents7 sources

Severity

6.5MEDIUMNVD

GHSA9.8

EPSS

0.3%

top 44.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Libnested Project Libnested

Timeline

PublishedDec 22

Description

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible. This vulnerability affects Firefox < 99.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/firefox< firefox 99.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 99

▶NVDmozilla/firefox< 99.0

▶Ubuntumozilla/firefox< 99.0+build2-0ubuntu0.18.04.2+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-vcmf-vf48-7jqp: The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files th↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-04-07

▶

OSV

CVE-2022-28283: The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files th↗2022-04-07

▶

GHSA

Prototype Pollution in libnested↗2022-03-18

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-04-07

▶

Debian

CVE-2022-28283: firefox - The sourceMapURL feature in devtools was missing security checks that would have...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-13: CVE-2022-28283↗

▶