CVE-2022-22742 Text in edit mode might have lead to exploitable crash.

This issue was fixed in Firefox ESR version 91.5, and Thunderbird version 31.5.

An out-of-bounds read was possible when manipulating arrays with certain characters during input in edit boxes. This could result in remote code execution. This vulnerability affects Firefox ESR  91.5, Firefox  96, and Thunderbird  91.5.

A flaw was found in the way Firefox parsed certain image content when using the file: URL scheme. An attacker could use this flaw to bypass cross-origin resource sharing protections. This issue only affects Firefox  57.

A flaw was found in the way Firefox verified certain correctness of the code stored in data: URLs. This issue could be leveraged by attackers to bypass code integrity checks, leading to potential information disclosure. This issue only affects Firefox  57.

A cross-site scripting (XSS) vulnerability was discovered on Windows systems when accessing the about:torpage page. This vulnerability allows for malicious code to run when accessing this page. This issue only affects Firefox  57.

A flaw was found in the way Firefox displayed certain malformed content trackers. This issue could be used by attackers to construct a link that appears to go to a benign website but in fact redirects to another location of their choosing. This issue only affects Firefox  57.

A flaw was found in the way Firefox handled redirect requests when the Host header was either partially or entirely set to an

Fixed vulnerabilities in Firefox ESR

A flaw was found in the way Firefox handled redirect requests when the Host header was either partially or entirely set to an https://hostname. A remote attacker could use this issue to conduct a man-in-the-middle attack to obtain sensitive information or redirect the user to a malicious site. This issue only affects Firefox  57.

A cross-site scripting (XSS) vulnerability was discovered on Windows systems when accessing the about:torpage page. This vulnerability allows for malicious code to run when accessing this page. This issue only affects Firefox ESR  91.5, Thunderbird  31.5, and SeaMonkey  2.53a1pre2.

Firefox ESR  91.5

, Firefox  96, and Thunderbird  91.5 Fixed
Fixes were implemented in the browser to address these issues in Firefox ESR  91.5, Firefox  96, and Thunderbird  91.5.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/29/2022 20:17:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-02/
• https://www.mozilla.org/security/advisories/mfsa2022-01/
• https://www.mozilla.org/security/advisories/mfsa2022-03/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1739923
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22742