Rewterz Threat Advisory – CVE-2022-38475 – Mozilla Firefox Vulnerability
August 24, 2022Rewterz Threat Advisory – CVE-2022-2587 – Google Chrome OS Audio Server Exploit in the Wild
August 24, 2022Rewterz Threat Advisory – CVE-2022-38475 – Mozilla Firefox Vulnerability
August 24, 2022Rewterz Threat Advisory – CVE-2022-2587 – Google Chrome OS Audio Server Exploit in the Wild
August 24, 2022Severity
High
Analysis Summary
CVE-2022-38476 CVSS:8.8
Mozilla Firefox and Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a data race in the PK11_ChangePW function that results in a use-after-free error. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2022-38473 CVSS:8.8
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a cross-origin iframe referencing an XSLT document. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to inherit the parent domain’s permissions.
CVE-2022-38472 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the abuse of XSLT error handling. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the addressbar.
CVE-2022-38477 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2022-38478 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Code Execution
- Security Bypass
- Unauthorized Access
Indicators Of Compromise
CVE
- CVE-2022-38476
- CVE-2022-38473
- CVE-2022-38472
- CVE-2022-38477
- CVE-2022-38478
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 103
- Mozilla Firefox ESR 102.1
- Mozilla Firefox ESR 91.12
- Mozilla Thunderbird 102.1
- Mozilla Thunderbird 91.12
Remediation
Refer to Mozilla Security Advisory for patch, upgrade or suggested workaround information.
Mozilla Security Advisory