CVE-2022-40956 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV5.5
EPSS
0.2%
top 52.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 22
Latest updateSep 22
Description
When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages8 packages
🔴Vulnerability Details
4OSV▶
CVE-2022-40956: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead↗2022-12-22
GHSA▶
GHSA-74v3-gjvq-vv7f: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead↗2022-12-22
CVEList▶
CVE-2022-40956: When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead↗2022-12-22
📋Vendor Advisories
7Debian▶
CVE-2022-40956: firefox - When injecting an HTML base element, some requests would ignore the CSP's base-u...↗2022
💬Community
1Bugzilla▶
CSP bypass in DevTools Network Tab Response Preview because `content-security-policy:` headers ignored↗2024-09-22