CVE-2022-31738Authentication Bypass by Spoofing in Mozilla Firefox

CWE-290Authentication Bypass by SpoofingCWE-1021UI Misrepresentation / Clickjacking12 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 63.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified101
NVDmozilla/firefox< 101
CVEListV5mozilla/firefox_esrunspecified91.10
NVDmozilla/firefox_esr< 91.10
CVEListV5mozilla/thunderbirdunspecified91.10

🔴Vulnerability Details

4
GHSA
GHSA-3v83-x3vq-3mmv: When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion o2022-12-22
CVEList
CVE-2022-31738: When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion o2022-12-22
OSV
CVE-2022-31738: When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion o2022-12-22
OSV
thunderbird vulnerabilities2022-07-14

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2022-07-14
Ubuntu
Firefox vulnerabilities2022-06-13
Red Hat
Mozilla: Browser window spoof using fullscreen mode2022-05-31
Debian
CVE-2022-31738: firefox - When exiting fullscreen mode, an iframe could have confused the browser about th...2022
Mozilla
Mozilla Foundation Security Advisory 2022-22: CVE-2022-31738
CVE-2022-31738 — Authentication Bypass by Spoofing | cvebase