PT-2022-3382 · Mozilla+10 · Thunderbird+11
Armin Ebert
·
Published
2022-06-28
·
Updated
2024-12-12
·
CVE-2022-34468
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Firefox versions prior to 102
Firefox ESR versions prior to 91.11
Thunderbird versions prior to 102
Thunderbird versions prior to 91.11
Description
The issue is related to errors in handling the Content Security Policy (CSP) header without the 'allow scripts' parameter. This could allow a remote attacker to bypass the implemented CSP restriction and execute arbitrary scripts using a specially crafted link, if the user clicks on a
javascript: link. An iframe that was not permitted to run scripts could do so under these conditions.Recommendations
For Firefox versions prior to 102: Update to version 102 or later.
For Firefox ESR versions prior to 91.11: Update to version 91.11 or later.
For Thunderbird versions prior to 102: Update to version 102 or later.
For Thunderbird versions prior to 91.11: Update to version 91.11 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Firefox
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Ubuntu