CVE-2022-29911UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / Clickjacking12 documents8 sources
Severity
6.1MEDIUMNVD
OSV4.3
EPSS
0.3%
top 45.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified100
NVDmozilla/firefox< 100.0
CVEListV5mozilla/firefox_esrunspecified91.9
CVEListV5mozilla/thunderbirdunspecified91.9

🔴Vulnerability Details

4
CVEList
CVE-2022-29911: An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scri2022-12-22
OSV
CVE-2022-29911: An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scri2022-12-22
GHSA
GHSA-2pjx-v75h-827m: An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scri2022-12-22
OSV
thunderbird vulnerabilities2022-05-25

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2022-05-25
Ubuntu
Firefox vulnerabilities2022-05-11
Red Hat
Mozilla: iframe Sandbox bypass2022-05-03
Debian
CVE-2022-29911: firefox - An improper implementation of the new iframe sandbox keyword <code>allow-top-nav...2022
Mozilla
Mozilla Foundation Security Advisory 2022-17: CVE-2022-29911
CVE-2022-29911 — UI Misrepresentation / Clickjacking | cvebase