CVE-2022-40958 — Injection in Mozilla Firefox
Severity
6.5MEDIUMNVD
OSV5.5
EPSS
0.4%
top 41.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 22
Latest updateMay 6
Description
By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages8 packages
🔴Vulnerability Details
4GHSA▶
GHSA-7mxj-29p2-6g84: By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite co↗2022-12-22
OSV▶
CVE-2022-40958: By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite co↗2022-12-22
CVEList▶
CVE-2022-40958: By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite co↗2022-12-22
📋Vendor Advisories
7💬Community
1Bugzilla
▶