CVE-2022-36318 — Race Condition in Mozilla Firefox

CWE-362 — Race Condition CWE-79 — Cross-site Scripting14 documents8 sources

Severity

5.3MEDIUMNVD

OSV8.8

EPSS

0.2%

top 58.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Description

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 103

▶NVDmozilla/firefox< 103.0

▶CVEListV5mozilla/firefox_esrunspecified — 102.1+1

▶NVDmozilla/firefox_esr< 102.1+1

▶CVEListV5mozilla/thunderbirdunspecified — 102.1+1

🔴Vulnerability Details

GHSA

GHSA-3q68-3vrx-8h5f: When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected↗2022-12-22

▶

CVEList

CVE-2022-36318: When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected↗2022-12-22

▶

OSV

CVE-2022-36318: When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-10-07

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-10-07

▶

Ubuntu

Firefox vulnerabilities↗2022-07-28

▶

Red Hat

Mozilla: Directory indexes for bundled resources reflected URL parameters↗2022-07-26

▶

Debian

CVE-2022-36318: firefox - When visiting directory listings for `chrome://` URLs as source text, some param...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-29: CVE-2022-36318↗

▶