CVE-2022-31744Cross-site Scripting in Mozilla Firefox

CWE-79Cross-site ScriptingCWE-863Incorrect Authorization12 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 79.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified101
NVDmozilla/firefox< 101.0
CVEListV5mozilla/firefox_esrunspecified91.11
CVEListV5mozilla/thunderbirdunspecified102+1
NVDmozilla/firefox_esr< 91.11

🔴Vulnerability Details

4
OSV
CVE-2022-31744: An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security2022-12-22
GHSA
GHSA-p5h8-cwcq-q5g2: An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security2022-12-22
CVEList
CVE-2022-31744: An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security2022-12-22
OSV
thunderbird vulnerabilities2022-07-14

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2022-07-14
Red Hat
Mozilla: CSP bypass enabling stylesheet injection2022-06-28
Ubuntu
Firefox vulnerabilities2022-06-13
Debian
CVE-2022-31744: firefox - An attacker could have injected CSS into stylesheets accessible via internal URI...2022
Mozilla
Mozilla Foundation Security Advisory 2022-25: CVE-2022-31744
CVE-2022-31744 — Cross-site Scripting in Mozilla | cvebase