CVE-2022-31744 CSS injected via internal URIs could bypass a page's Content Security Policy.

The attacker would need to host a malicious stylesheet on a malicious server—for example, if they have compromised the same server. In cases where the internal domain is different from the host domain, the attacker would need to host the stylesheet on a server under their control.

To exploit this vulnerability, an attacker would need to trick a user into visiting a specially crafted page. This could be done, for example, by sending a link via email or social media.

An attacker could also host a malicious stylesheet on a server and host a website on that server that leverages the Stylesheet directive to inject a stylesheet. In this case, the attacker would need tolund the link on their own website.

All users are encouraged to apply the latest Thunderbird and Firefox patches. Users can also enable click-to-activate CSS in the Trust settings of the Add-ons Manager.

Vulnerability Mitigation Strategies

To mitigate this vulnerability, all users are encouraged to apply the latest Thunderbird and Firefox patches. Users can also enable click-to-activate CSS in the Trust settings of the Add-ons Manager.

Thunderbird provides a high-level mitigation strategy for this vulnerability.

Vulnerability Discovery - April 2015

This security issue was discovered by the Mozilla Foundation. The issue is that malicious HTML files can be injected into CSS stylesheets. This could allow an attacker to steal cookie information, including login credentials and other sensitive data, if the victim visits a website with the malicious file included.

Appendix: Examples of how this vulnerability can be exploited

A malicious stylesheet is hosted on a malicious server and the link is placed on the attacker’s website.
The attacker sends a link via email or social media to trick a user into visiting this site, which will include the malicious stylesheet.

Demand-Based Styling

The attacker can exploit this vulnerability to inject arbitrary styles and scripts in the HTML of a web site. This can lead to cross-site scripting attacks on other sites that use the same vulnerable stylesheet, as well as reduced security, increased accessibility, and higher risk of data loss.

To exploit, an attacker would need to trick a user into visiting a specially crafted page. This could be done, for example, by sending a link via email or social media.

An attacker could also host a malicious stylesheet on a server and host a website on that server that leverages the Stylesheet directive to inject a stylesheet. In this case, the attacker would need tolund the link on their own website.
All users are encouraged to apply the latest Thunderbird and Firefox patches. Users can also enable click-to-activate CSS in the Trust settings of the Add-ons Manager.

Thunderbird and Firefox patches

The Thunderbird and Firefox developers issued security updates for CVE-2022-31744. The updates address the vulnerability and prevent an exploit from taking place.
Users are encouraged to apply these updates as soon as they become available.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 16:21:00 UTC

References

• https://www.mozilla.org/security/advisories/mfsa2022-20/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1757604
• https://www.mozilla.org/security/advisories/mfsa2022-26/
• https://www.mozilla.org/security/advisories/mfsa2022-25/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31744