An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use a compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This could lead to attackers gaining access to data, setting up phishing attacks, or carrying out other attacks as described in the Mozilla documentation. This vulnerability was found in the way objects are created and handled. It was a result of a bug in the JavaScript language implementation, and was fixed in Firefox  102, Firefox ESR  91.11, and Thunderbird  102.

References

Mozilla Security Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2022-2200
Mozilla Bug Report
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2022-2200

CVE-2023-2200

An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use a compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This vulnerability was found in the way objects are created and handled. It was a result of a bug in the JavaScript language implementation, and was fixed in Firefox  102, Firefox ESR  91.11, and Thunderbird  102.

Information disclosure vulnerability

In Thunderbird and Firefox, when an object is received in the messaging client, it is created as a prototype. It also creates a copy of itself on the server. This allows the object to be changed on the server before it is sent to the client. An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use the compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This could lead to attackers gaining access to data, setting up phishing attacks, or carrying out other attacks as described in the Mozilla documentation.

How Do I Use This Guide?

This guide will help you understand how to secure your computer against these threats.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 20:14:00 UTC

References