Mozilla

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification

CVE-2020-12413 5.9 - Medium - February 16, 2023

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Side Channel Attack

Scanning a QR code that contained a javascript: URL

CVE-2019-17003 6.1 - Medium - February 16, 2023

Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed.

XSS

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS)

CVE-2020-6817 7.5 - High - February 16, 2023

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

ReDoS

Thunderbird versions prior to 91.3.0 are vulnerable to the heap overflow described in CVE-2021-43527 when processing S/MIME messages

CVE-2021-43529 9.8 - Critical - February 16, 2023

Thunderbird versions prior to 91.3.0 are vulnerable to the heap overflow described in CVE-2021-43527 when processing S/MIME messages. Thunderbird versions 91.3.0 and later will not call the vulnerable code when processing S/MIME messages that contain certificates with DER-encoded DSA or RSA-PSS signatures.

Memory Corruption

There was an open redirection vulnerability pollbot

CVE-2022-0637 6.1 - Medium - February 16, 2023

There was an open redirection vulnerability pollbot, which was used in https://pollbot.services.mozilla.com/ and https://pollbot.stage.mozaws.net/ An attacker could have redirected anyone to malicious sites.

Open Redirect

A mutation XSS affects users calling bleach.clean with all of: svg or math in the

CVE-2021-23980 6.1 - Medium - February 16, 2023

A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True.

XSS

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash

CVE-2022-40957 6.5 - Medium - December 22, 2022

Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash.<br>*This bug only affects Firefox on ARM64 platforms.*. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

An attacker could have exploited a timing attack by sending a large number of

CVE-2022-31742 6.5 - Medium - December 22, 2022

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead

CVE-2022-40956 6.1 - Medium - December 22, 2022

When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

XSS

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies

CVE-2022-40958 6.5 - Medium - December 22, 2022

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Injection

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe

CVE-2022-40960 6.5 - Medium - December 22, 2022

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Dangling pointer

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass

CVE-2022-40959 6.5 - Medium - December 22, 2022

During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.

Insecure Storage of Sensitive Information

When receiving an HTML email

CVE-2022-3034 4.3 - Medium - December 22, 2022

When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Clickjacking

When receiving an HTML email

CVE-2022-3032 6.5 - Medium - December 22, 2022

When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

AuthZ

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to

CVE-2022-3033 8.1 - High - December 22, 2022

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Code Injection

When receiving an HTML email

CVE-2022-3034 4.3 - Medium - December 22, 2022

When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Clickjacking

When receiving an HTML email

CVE-2022-3032 6.5 - Medium - December 22, 2022

When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

AuthZ

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to

CVE-2022-3033 8.1 - High - December 22, 2022

If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1.

Code Injection

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12

CVE-2022-38478 8.8 - High - December 22, 2022

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Memory Corruption

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1

CVE-2022-38477 8.8 - High - December 22, 2022

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.

Memory Corruption

A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability

CVE-2022-38476 7.5 - High - December 22, 2022

A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password. This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2.

Dangling pointer

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)

CVE-2022-38473 8.8 - High - December 22, 2022

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Improper Preservation of Permissions

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin

CVE-2022-38472 6.5 - Medium - December 22, 2022

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Origin Validation Error

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12

CVE-2022-38478 8.8 - High - December 22, 2022

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Memory Corruption

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)

CVE-2022-38473 8.8 - High - December 22, 2022

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Improper Preservation of Permissions

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin

CVE-2022-38472 6.5 - Medium - December 22, 2022

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Origin Validation Error

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12

CVE-2022-38478 8.8 - High - December 22, 2022

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Memory Corruption

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1

CVE-2022-38477 8.8 - High - December 22, 2022

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.

Memory Corruption

An attacker could have written a value to the first element in a zero-length JavaScript array

CVE-2022-38475 6.5 - Medium - December 22, 2022

An attacker could have written a value to the first element in a zero-length JavaScript array. Although the array was zero-length, the value was not written to an invalid memory address. This vulnerability affects Firefox < 104.

AuthZ

A website that had permission to access the microphone could record audio without the audio notification being shown

CVE-2022-38474 4.3 - Medium - December 22, 2022

A website that had permission to access the microphone could record audio without the audio notification being shown. This bug does not allow the attacker to bypass the permission prompt - it only affects the notification shown once permission has been granted.<br />*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 104.

Exposure of Resource to Wrong Sphere

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)

CVE-2022-38473 8.8 - High - December 22, 2022

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Improper Preservation of Permissions

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin

CVE-2022-38472 6.5 - Medium - December 22, 2022

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Origin Validation Error

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12

CVE-2022-38478 8.8 - High - December 22, 2022

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Memory Corruption

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1

CVE-2022-38477 8.8 - High - December 22, 2022

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103 and Firefox ESR 102.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.2, Thunderbird < 102.2, and Firefox < 104.

Memory Corruption

A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability

CVE-2022-38476 7.5 - High - December 22, 2022

A data race could occur in the <code>PK11_ChangePW</code> function, potentially leading to a use-after-free vulnerability. In Firefox, this lock protected the data when a user changed their master password. This vulnerability affects Firefox ESR < 102.2 and Thunderbird < 102.2.

Dangling pointer

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)

CVE-2022-38473 8.8 - High - December 22, 2022

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Improper Preservation of Permissions

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin

CVE-2022-38472 6.5 - Medium - December 22, 2022

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Origin Validation Error

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12

CVE-2022-38478 8.8 - High - December 22, 2022

Members the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 103, Firefox ESR 102.1, and Firefox ESR 91.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Memory Corruption

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access)

CVE-2022-38473 8.8 - High - December 22, 2022

A cross-origin iframe referencing an XSLT document would inherit the parent domain's permissions (such as microphone or camera access). This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Improper Preservation of Permissions

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin

CVE-2022-38472 6.5 - Medium - December 22, 2022

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

Origin Validation Error

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

CVE-2022-2505 8.8 - High - December 22, 2022

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

Memory Corruption

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path

CVE-2022-36314 5.5 - Medium - December 22, 2022

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

DLL preloading

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

CVE-2022-2505 8.8 - High - December 22, 2022

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

Memory Corruption

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

CVE-2022-36320 9.8 - Critical - December 22, 2022

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 103.

Memory Corruption

When using the Performance API

CVE-2022-36316 6.1 - Medium - December 22, 2022

When using the Performance API, an attacker was able to notice subtle differences between PerformanceEntries and thus learn whether the target URL had been subject to a redirect. This vulnerability affects Firefox < 103.

Open Redirect

When loading a script with Subresource Integrity

CVE-2022-36315 4.3 - Medium - December 22, 2022

When loading a script with Subresource Integrity, attackers with an injection capability could trigger the reuse of previously cached entries with incorrect, different integrity metadata. This vulnerability affects Firefox < 103.

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path

CVE-2022-36314 5.5 - Medium - December 22, 2022

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

DLL preloading

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When visiting a website with an overly long URL, the user interface would start to hang

CVE-2022-36317 6.5 - Medium - December 22, 2022

When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 103.

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102

CVE-2022-2505 8.8 - High - December 22, 2022

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 102. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

Memory Corruption

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path

CVE-2022-36314 5.5 - Medium - December 22, 2022

When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system.<br>This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 102.1, Firefox < 103, and Thunderbird < 102.1.

DLL preloading

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected

CVE-2022-36318 5.3 - Medium - December 22, 2022

When visiting directory listings for `chrome://` URLs as source text, some parameters were reflected. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

Race Condition

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed

CVE-2022-36319 7.5 - High - December 22, 2022

When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed. This vulnerability affects Firefox ESR < 102.1, Firefox ESR < 91.12, Firefox < 103, Thunderbird < 102.1, and Thunderbird < 91.12.

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension

CVE-2022-34482 8.8 - High - December 22, 2022

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483. This vulnerability affects Firefox < 102.

On arm64

CVE-2022-31740 8.8 - High - December 22, 2022

On arm64, WASM code could have resulted in incorrect assembly generation leading to a register allocation problem, and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Mozilla developers Andrew McCreight, Nicolas B

CVE-2022-31747 9.8 - Critical - December 22, 2022

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

A malicious website could have learned the size of a cross-origin resource that supported Range requests

CVE-2022-31736 9.8 - Critical - December 22, 2022

A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash

CVE-2022-31737 9.8 - Critical - December 22, 2022

A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Memory Corruption

When exiting fullscreen mode

CVE-2022-31738 6.5 - Medium - December 22, 2022

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Authentication Bypass by Spoofing

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths

CVE-2022-31739 8.8 - High - December 22, 2022

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption

CVE-2022-31741 8.8 - High - December 22, 2022

A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Buffer Overflow

An attacker could have exploited a timing attack by sending a large number of

CVE-2022-31742 6.5 - Medium - December 22, 2022

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers

CVE-2022-31743 6.5 - Medium - December 22, 2022

Firefox's HTML parser did not correctly interpret HTML comment tags, resulting in an incongruity with other browsers. This could have been used to escape HTML comments on pages that put user-controlled data in them. This vulnerability affects Firefox < 101.

XSS

An attacker could have injected CSS into stylesheets accessible

CVE-2022-31744 6.5 - Medium - December 22, 2022

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

AuthZ

If array shift operations are not used, the Garbage Collector may have become confused about valid objects

CVE-2022-31745 4.3 - Medium - December 22, 2022

If array shift operations are not used, the Garbage Collector may have become confused about valid objects. This vulnerability affects Firefox < 101.

out-of-bounds array index

Mozilla developers Andrew McCreight, Nicolas B

CVE-2022-31747 9.8 - Critical - December 22, 2022

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100 and Firefox ESR 91.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Mozilla developers Gabriele Svelto

CVE-2022-31748 9.8 - Critical - December 22, 2022

Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 100. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 101.

The search term could have been specified externally to trigger SQL injection

CVE-2022-1887 9.8 - Critical - December 22, 2022

The search term could have been specified externally to trigger SQL injection. This vulnerability affects Firefox for iOS < 101.

SQL Injection

A malicious website

CVE-2022-34479 6.5 - Medium - December 22, 2022

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Session history navigations may have led to a use-after-free and potentially exploitable crash

CVE-2022-34470 9.8 - Critical - December 22, 2022

Session history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Dangling pointer

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link

CVE-2022-34468 8.8 - High - December 22, 2022

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function

CVE-2022-34481 8.8 - High - December 22, 2022

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Integer Overflow or Wraparound

An attacker could have injected CSS into stylesheets accessible

CVE-2022-31744 6.5 - Medium - December 22, 2022

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

AuthZ

If there was a PAC URL set and the server

CVE-2022-34472 4.3 - Medium - December 22, 2022

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

The <code>ms-msdt</code>

CVE-2022-34478 6.5 - Medium - December 22, 2022

The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

If an object prototype was corrupted by an attacker, they

CVE-2022-2200 8.8 - High - December 22, 2022

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Prototype Pollution

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10

CVE-2022-34484 8.8 - High - December 22, 2022

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

assertion failure

A malicious website

CVE-2022-34479 6.5 - Medium - December 22, 2022

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Session history navigations may have led to a use-after-free and potentially exploitable crash

CVE-2022-34470 9.8 - Critical - December 22, 2022

Session history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Dangling pointer

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link

CVE-2022-34468 8.8 - High - December 22, 2022

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function

CVE-2022-34481 8.8 - High - December 22, 2022

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Integer Overflow or Wraparound

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10

CVE-2022-34484 8.8 - High - December 22, 2022

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

assertion failure

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101

CVE-2022-34485 9.8 - Critical - December 22, 2022

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102.

Memory Corruption

A malicious website

CVE-2022-34479 6.5 - Medium - December 22, 2022

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Thunderbird for Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Session history navigations may have led to a use-after-free and potentially exploitable crash

CVE-2022-34470 9.8 - Critical - December 22, 2022

Session history navigations may have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Dangling pointer

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link

CVE-2022-34468 8.8 - High - December 22, 2022

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

An OpenPGP digital signature includes information about the date when the signature was created

CVE-2022-2226 6.5 - Medium - December 22, 2022

An OpenPGP digital signature includes information about the date when the signature was created. When displaying an email that contains a digital signature, the email's date will be shown. If the dates were different, then Thunderbird didn't report the email as having an invalid signature. If an attacker performed a replay attack, in which an old email with old contents are resent at a later time, it could lead the victim to believe that the statements in the email are current. Fixed versions of Thunderbird will require that the signature's date roughly matches the displayed date of the email. This vulnerability affects Thunderbird < 102 and Thunderbird < 91.11.

Authentication Bypass by Capture-replay

The <code>ms-msdt</code>

CVE-2022-34478 6.5 - Medium - December 22, 2022

The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10

CVE-2022-34484 8.8 - High - December 22, 2022

The Mozilla Fuzzing Team reported potential vulnerabilities present in Thunderbird 91.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

assertion failure

If an object prototype was corrupted by an attacker, they

CVE-2022-2200 8.8 - High - December 22, 2022

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Prototype Pollution

The HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG <code>&lt;use&gt;</code> tags; however it incorrectly did not sanitize <code>xlink:href</code> attributes

CVE-2022-34473 6.1 - Medium - December 22, 2022

The HTML Sanitizer should have sanitized the <code>href</code> attribute of SVG <code>&lt;use&gt;</code> tags; however it incorrectly did not sanitize <code>xlink:href</code> attributes. This vulnerability affects Firefox < 102.

XSS

If there was a PAC URL set and the server

CVE-2022-34472 4.3 - Medium - December 22, 2022

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

An attacker could have injected CSS into stylesheets accessible

CVE-2022-31744 6.5 - Medium - December 22, 2022

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

AuthZ