IBMD2F4FA819023A831832A647B550E8F703EF96C1E7E396A36F150B71108876F7DSecurity Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 91.8.0ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 - 2022.4.0
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.02 Low
EPSS
Percentile
88.7%
Summary
CVE-2022-28282, CVE-2021-38503, CVE-2022-22760, CVE-2021-38509, CVE-2022-22739, CVE-2022-26381, CVE-2022-22754, CVE-2021-43538, CVE-2022-22747, CVE-2021-38504, CVE-2022-22746, CVE-2022-26383, CVE-2022-22741, CVE-2022-26384, CVE-2022-22759, CVE-2022-22748, CVE-2021-43543, CVE-2022-1196, CVE-2021-38501, CVE-2022-22740, CVE-2021-38498, CVE-2021-43539, CVE-2021-43536, CVE-2022-24713, CVE-2022-22744, CVE-2022-28285, CVE-2022-22743, CVE-2022-28289, CVE-2022-26386, CVE-2022-28286, CVE-2022-22764, CVE-2022-22742, CVE-2021-38508, CVE-2022-22761, CVE-2021-4140, CVE-2021-38507, CVE-2022-26486, CVE-2022-22756, CVE-2021-38500, CVE-2022-22738, CVE-2021-38505, CVE-2021-43541, CVE-2022-22763, CVE-2021-38496, CVE-2022-22737, CVE-2022-26485, CVE-2021-38506, CVE-2022-1097, CVE-2022-26387, CVE-2021-43545, CVE-2021-38497, CVE-2022-28281, CVE-2022-22745, CVE-2022-22753, CVE-2021-38510, CVE-2021-43546, CVE-2021-43537, CVE-2022-22751, CVE-2021-43542, IBM X-Force ID: 212646, IBM X-Force ID: 214745, IBM X-Force ID: 212647
Vulnerability Details
CVEID:CVE-2022-28282
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in DocumentL10n::TranslateDocument. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223377 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38503
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to correctly apply the iframe sandbox rules to XSLT stylesheets. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212634 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22760
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by error messages would distinguishing the difference between application/javascript responses and non-script responses. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to learn information cross-origin.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2021-38509
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an unusual sequence of attacker-controlled events that allows a Javascript alert box to be displayed onto an arbitrary domain. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct spoofing attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212641 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22739
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by missing throttling on external protocol launch dialog. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to trick users into accepting launching a program to handle an external URL protocol.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217035 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-26381
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in text reflows. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221280 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-22754
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the auto-updating of an extension. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass the prompt which grants permission confirmation.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-43538
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by misusing a race in our notification code. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to forcefully hide the notification for pages that had received full screen and pointer lock access and conduct a spoofing attack.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVEID:CVE-2022-22747
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by an error when handling empty pkcs7 sequence. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217033 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38504
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in file picker dialog. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22746
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by a race condition that allows bypassing the fullscreen notification. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof a fullscreen window.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217016 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-26383
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when using fullscreen mode. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the browser window.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221278 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22741
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when resizing a popup while requesting fullscreen access. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the browser window.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217019 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-26384
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when controlling the contents of an iframe sandboxed with allow-popups but not allow-scripts. By persuading a victim to click a specially-crafted link, a remote attacker could exploit this vulnerability to bypass sandbox restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22759
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error if a document created a sandboxed iframe without allow-scripts. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow sandboxed iframes to execute script if the parent appended elements.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219062 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22748
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error on external protocol launch dialog. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the origin.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217030 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-43543
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the bypass of CSP sandbox directive when embedding By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow documents loaded with the CSP sandbox directive to escape.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214741 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-1196
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free after VR Process destruction. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38501
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210697 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22740
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free of ChannelEventQueue::mOwner. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to corrupt the stack and cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38498
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free of nsLanguageAtomService object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210696 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-43539
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when calling wasm instance methods. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214738 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-43536
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a flaw when navigating while executing asynchronous function. By persuading a victim to visit a specially-crafted Web site, an attacker could exploit this vulnerability to obtain URL information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214692 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-24713
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by the failure to properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing by the rust regex crate. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223383 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-22744
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary commands on the system, caused by the failure of the constructed curl command from the “Copy as curl” feature in DevTools to properly escape website-controlled data. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary commands on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217032 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-28285
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an incorrect AliasSet used in JIT Codegen. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to trigger out-of-bounds memory read.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223380 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-22743
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when navigating from inside an iframe while requesting fullscreen access. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the browser window.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217017 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-28289
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223384 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-26386
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the downloading of temporary files to /tmp and accessible by other local users. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-28286
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the rendering of iframe contents outside of its border. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223381 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22764
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219067 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22742
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by an out-of-bounds memory access when inserting text in edit mode. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38508
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when displaying a form validity message in the correct location at the same time as a permission prompt. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct a spoofing attack.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22761
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to enforce frame-ancestors Content Security Policy directive for framed extension By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219065 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-4140
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when constructing specific XSLT markup. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass an iframe sandbox.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217023 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-38507
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when using opportunistic Encryption in HTTP2 . By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass the Same-Origin-Policy on services hosted on other ports.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-26486
**DESCRIPTION:**Mozilla Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebGPU IPC framework. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221068 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22756
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an error when dragging and dropping an image to their desktop. By persuading a victim to click on the image, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219059 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-38500
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210693 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22738
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a heap-based buffer-overflow in blendGaussianBlur. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217021 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38505
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the recording of data copied to the clipboard to the cloud by a new feature in Windows 10 known as Cloud Clipboard. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212635 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2021-43541
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when invoking protocol handlers for external protocols. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow external protocol handler parameters to escape.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214736 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-22763
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an error during invalid object state. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute script on the vulnerable system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-38496
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in MessageTask. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210694 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22737
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a race condition when playing audio files. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-26485
**DESCRIPTION:**Mozilla Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in XSLT parameter processing. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221067 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-38506
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by being coaxed into entering fullscreen mode without notification or warning to the user. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the the browser UI.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212636 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-1097
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in thread shutdown. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223373 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-26387
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a time-of-check time-of-use bug when verifying add-on signatures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221277 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-43545
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by an error when using the Location API in a loop. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214743 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-38497
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks. By using reportValidity() and window.open(), a remote attacker could overlay a validation message on another origin and possibly conduct spoofing attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210695 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-28281
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write due to unexpected WebAuthN Extensions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223376 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-22745
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leaking of cross-origin URLs through securitypolicyviolation event. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to disclose cross-origin information for frame-ancestors violations.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217031 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-22753
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to gain elevated privileges on the system, cause by a Time-of-Check Time-of-Use bug in the Maintenance (Updater) Service. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to gain SYSTEM privileges.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-38510
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to present the executable file warning when downloading .inetloc files on Mac OS. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to run commands on a user’s computer.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212642 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-43546
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when a native cursor is zoomed. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct a cursor spoofing attack.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214744 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2021-43537
**DESCRIPTION:**Mozilla Firefox is vulnerable to a denial of service, caused by a heap-based buffer overflow when using structured clone. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214705 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-22751
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-43542
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using XMLHttpRequest error codes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to leak the existence of an external protocol handler.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
**IBM X-Force ID:**212646
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212646 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
**IBM X-Force ID:**214745
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214745 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
**IBM X-Force ID:**212647
**DESCRIPTION:**Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in HTTP2 Session object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| APM AM | 8.1.4 |
| APM SaaS | 8.1.4 |
| APM on-premise | 8.1.4 |
Remediation/Fixes
Product Remediation
|
Fix
—|—
APM AM
|
fixed in latest saas env
APM SaaS
|
fixed in latest saas env
APM on-premis
|
Synthetic Playback Agent 8.1.4 IF16
Readme: <https://www.ibm.com/support/pages/node/6569903>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm application performance management | eq | 8.1.4 |
Related
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.02 Low
EPSS
Percentile
88.7%