PT-2022-1912 · Mozilla+10 · Firefox Esr+12

Ed Mcmanus

Published

2022-03-08

Updated

2024-12-12

CVE-2022-26384

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 98 Firefox ESR versions prior to 91.7 Thunderbird versions prior to 91.7

Description The issue is related to a logical error in handling iframes. If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This could allow a remote attacker to bypass introduced security restrictions.

Recommendations For Firefox versions prior to 98, update to version 98 or later. For Firefox ESR versions prior to 91.7, update to version 91.7 or later. For Thunderbird versions prior to 91.7, update to version 91.7 or later.

Exploit

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-693

Related Identifiers

ALSA-2022:0818

ALSA-2022:0845

ALT-PU-2022-1450

ALT-PU-2022-1474

ALT-PU-2022-1475

ALT-PU-2022-1482

ALT-PU-2022-1487

ALT-PU-2022-1502

ALT-PU-2022-1519

ALT-PU-2022-1781

ALT-PU-2022-2053

ALT-PU-2022-2458

ALT-PU-2022-2929

ALT-PU-2022-2930

ALT-PU-2023-1138

ALT-PU-2023-1139

ALT-PU-2023-4336

ALT-PU-2023-4339

BDU:2022-01448

CESA-2022_0818

CESA-2022_0824

CESA-2022_0845

CESA-2022_0850

CVE-2022-26384

DLA-2942-1

DLA-2961-1

DSA-5097-1

DSA-5106-1

MGASA-2022-0093

MGASA-2022-0097

OESA-2023-1673

OESA-2023-1674

OPENSUSE-SU-2022:0821-1

OPENSUSE-SU-2022:0906-1

OPENSUSE-SU-2022_0821-1

OPENSUSE-SU-2022_0906-1

OPENSUSE-SU-2024:11908-1

OPENSUSE-SU-2024:11909-1

OPENSUSE-SU-2024:14572-1

RHSA-2022:0815

RHSA-2022:0816

RHSA-2022:0817

RHSA-2022:0818

RHSA-2022:0824

RHSA-2022:0843

RHSA-2022:0845

RHSA-2022:0847

RHSA-2022:0850

RHSA-2022:0853

RHSA-2022_0818

RHSA-2022_0824

RHSA-2022_0845

RHSA-2022_0850

RLSA-2022:0818

RLSA-2022:0845

SUSE-SU-2022:0819-1

SUSE-SU-2022:0821-1

SUSE-SU-2022:0822-1

SUSE-SU-2022:0906-1

SUSE-SU-2022:14906-1

SUSE-SU-2022_14906-1

USN-5321-1

USN-5321-2

USN-5321-3

USN-5345-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Firefox

Firefox Esr

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2022-1912 · Mozilla+10 · Firefox Esr+12

CVE-2022-26384

Weakness Enumeration

Related Identifiers

Affected Products

References · 2271