Lucene search

K
cveMozillaCVE-2022-26485
HistoryDec 22, 2022 - 8:15 p.m.

CVE-2022-26485

2022-12-2220:15:22
CWE-416
mozilla
web.nvd.nist.gov
1373
In Wild
21
cve-2022-26485
xslt parameter
use-after-free vulnerability
firefox
thunderbird
focus
nvd
security
exploit

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.009

Percentile

82.4%

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Affected configurations

Nvd
Vulners
Node
mozillafirefoxRange<97.0.2
OR
mozillafirefoxRange<97.3.0android
OR
mozillafirefox_esrRange<91.6.1
OR
mozillafirefox_focusRange<97.3.0
OR
mozillathunderbirdRange<91.6.2
VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
mozillafirefox_focus*cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "Mozilla",
    "product": "Firefox",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.0.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Firefox ESR",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "91.6.1",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Firefox for Android",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.3.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Thunderbird",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "91.6.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Focus",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.3.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.009

Percentile

82.4%