CVE-2022-34473 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting11 documents7 sources

Severity

6.1MEDIUMNVD

OSV8.8

EPSS

0.5%

top 32.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

The HTML Sanitizer should have sanitized the href attribute of SVG tags; however it incorrectly did not sanitize xlink:href attributes. This vulnerability affects Firefox < 102.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶debiandebian/firefox< firefox 102.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 102

▶NVDmozilla/firefox< 102.0

▶Ubuntumozilla/firefox< 102.0+build2-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-h8wm-ccrj-94x5: The HTML Sanitizer should have sanitized the href attribute of SVG tags; however it incorrectly did not sanitize xlink:href attributes↗2022-12-22

▶

OSV

firefox vulnerabilities↗2022-07-05

▶

OSV

CVE-2022-34473: The HTML Sanitizer should have sanitized the href attribute of SVG tags; however it incorrectly did not sanitize xlink:href attributes↗2022-07-05

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-07-05

▶

Debian

CVE-2022-34473: firefox - The HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG ...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-24: CVE-2022-34473↗

▶