CVE-2022-34468 — Inclusion of Functionality from Untrusted Control Sphere in Mozilla Firefox

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere CWE-79 — Cross-site Scripting13 documents8 sources

Severity

8.8HIGHNVD

OSV6.5

EPSS

0.5%

top 33.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 102

▶NVDmozilla/firefox< 102.0

▶CVEListV5mozilla/firefox_esrunspecified — 91.11

▶CVEListV5mozilla/thunderbirdunspecified — 102+1

▶NVDmozilla/firefox_esr< 91.11

🔴Vulnerability Details

CVEList

CVE-2022-34468: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link↗2022-12-22

▶

GHSA

GHSA-g34x-fm45-8xww: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link↗2022-12-22

▶

OSV

CVE-2022-34468: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-07-14

▶

OSV

firefox vulnerabilities↗2022-07-05

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-07-14

▶

Ubuntu

Firefox vulnerabilities↗2022-07-05

▶

Red Hat

Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI↗2022-06-28

▶

Debian

CVE-2022-34468: firefox - An iframe that was not permitted to run scripts could do so if the user clicked ...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-26: CVE-2022-34468↗

▶