CVE-2022-28284 — Improper Encoding or Escaping of Output in Mozilla Firefox

CWE-116 — Improper Encoding or Escaping of Output7 documents6 sources

Severity

8.8HIGHNVD

OSV6.5

EPSS

0.4%

top 41.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

SVG's element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/firefox< firefox 99.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 99

▶NVDmozilla/firefox< 99.0

▶Ubuntumozilla/firefox< 99.0+build2-0ubuntu0.18.04.2+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-5g34-x2rf-m7v6: SVG's element could have been used to load unexpected content that could have executed script in certain circumstances↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-04-07

▶

OSV

CVE-2022-28284: SVG's element could have been used to load unexpected content that could have executed script in certain circumstances↗2022-04-07

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-04-07

▶

Debian

CVE-2022-28284: firefox - SVG's <code><use></code> element could have been used to load unexpected c...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-13: CVE-2022-28284↗

▶