CVE-2022-3032 An code>iframe/code> element with a code>srcdoc/code> attribute could use remote objects inside the nested document, which were not blocked.

In a cross-site scripting attack, if an HTML email was opened that was been sent from a source which did not have the patch forCVE-2018-5146, a remote attacker could open a specially crafted website in a tab, which would then be able to run code in the context of the vulnerable website. This has been mitigated by blocking remote object loading. In HTML emails, an object could be specified using the code>srcdoc/code> attribute. An example usage of the code>srcdoc/code> attribute is shown below. !DOCTYPE HTML> html> body> p>This is an code>iframe/code> element with code>srcdoc/code> attribute and the object is local file./p> p>This is another code>iframe/code> element with code>srcdoc/code> attribute and the object is remote file./p> p>This is another code>iframe/code> element with code>srcdoc/code> attribute and the object is an external domain./p> /body> /html>

Vulnerability Symptoms

-An HTML email will be opened in a tab by a vulnerable website and the user will see that the email is from a source without the patch.
-The user can view code>srcdoc/code> elements and they could open remotely loaded objects.

Vulnerable code example:

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 20:25:00 UTC

References

• https://bugzilla.mozilla.org/show_bug.cgi?id=1783831
• https://www.mozilla.org/security/advisories/mfsa2022-39/
• https://www.mozilla.org/security/advisories/mfsa2022-38/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3032