PT-2022-1590 · Mozilla+10 · Firefox Esr+12
Johan Carlsson
·
Published
2022-02-08
·
Updated
2024-12-12
·
CVE-2022-22759
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Mozilla Firefox versions prior to 97
Mozilla Thunderbird versions prior to 91.6
Firefox ESR versions prior to 91.6
Description
The issue is related to insufficient access control in the handling of iframe elements by Mozilla Firefox and Mozilla Thunderbird. An attacker could exploit this by creating a sandboxed iframe without the
allow-scripts permission and then appending an element with a JavaScript event handler to the iframe's document, allowing the event handler to run despite the sandbox restrictions.Recommendations
For Mozilla Firefox versions prior to 97, update to version 97 or later to resolve the issue.
For Mozilla Thunderbird versions prior to 91.6, update to version 91.6 or later to resolve the issue.
For Firefox ESR versions prior to 91.6, update to version 91.6 or later to resolve the issue.
Exploit
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox Esr
Linuxmint
Firefox
Thunderbird
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu