Mozilla Firefox patches multiple vulnerabilities

Threat Advisories

Mozilla Firefox patches multiple vulnerabilities

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here.

Mozilla Firefox has released a major security update which patches 9 high, 6 moderate and 3 low impact vulnerabilities.

Vulnerabilities classified as high are:

  • CVE-2022-22746: Callnnto reportValdty could ave lead to fullscreen wndow spoof
  • CVE-2022-22743: Browser wndow spoof usnfullscreen mode
  • CVE-2022-22742: Out-of-bounds memory access wen nsertntext n edt mode
  • CVE-2022-22741: Browser wndow spoof usnfullscreen mode
  • CVE-2022-22740: Use-after-free of CannelEventQueue::mOwner
  • CVE-2022-22738: eap-buffer-overflow n blendaussanBlur
  • CVE-2022-22737: Race condton wen playnaudo fles
  • CVE-2021-4140 : frame sandbox bypass wtXSLT
  • CVE-2022-22751: Memory safety bus

Vulnerabilities classified as moderate are:

  • CVE-2022-22750:IPC passing of resource handles could have lead to sandbox bypass
  • CVE-2022-22749:Lack of URL restrictions when scanning QR codes
  • CVE-2022-22748:Spoofed origin on external protocol launch dialog
  • CVE-2022-22745:Leaking cross-origin URLs through securitypolicyviolation event
  • CVE-2022-22744:The ‘Copy as curl’ feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
  • CVE-2022-22752:Memory safety bugs

Vulnerabilities classified as low are:

  • CVE-2022-22747: Crash when handling empty pkcs7 sequence
  • CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.
  • CVE-2022-22739: Missing throttling on external protocol launch dialog

All these vulnerability can be patched by upgrading to Mozilla Firefox 96, Mozilla Firefox ESR 91.5, and Mozilla Thunderbird 91.5

Vulnerabiliy Details

References

https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/

https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/

https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/

https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/mozilla-releases-security-updates-firefox-firefox-esr-and