PT-2022-4619 · Mozilla+10 · Thunderbird+12

Armin Ebert

Published

2022-08-23

Updated

2024-12-12

CVE-2022-38473

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 102.2 Thunderbird versions prior to 91.13 Firefox ESR versions prior to 91.13 Firefox ESR versions prior to 102.2 Firefox versions prior to 104

Description The issue is related to the implementation of XSLT technology in Thunderbird and Firefox browsers, which allows a cross-origin iframe referencing an XSLT document to inherit the parent domain's permissions, such as microphone or camera access. This could potentially allow a remote attacker to elevate their privileges.

Recommendations For Thunderbird versions prior to 102.2, update to version 102.2 or later. For Thunderbird versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 91.13, update to version 91.13 or later. For Firefox ESR versions prior to 102.2, update to version 102.2 or later. For Firefox versions prior to 104, update to version 104 or later.

Exploit

Fix

Clickjacking

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1021CWE-281

Related Identifiers

ALSA-2022:6164

ALSA-2022:6165

ALSA-2022:6174

ALSA-2022:6175

ALT-PU-2022-2481

ALT-PU-2022-2496

ALT-PU-2022-2515

ALT-PU-2022-2929

ALT-PU-2022-2930

ALT-PU-2022-2931

ALT-PU-2023-1137

ALT-PU-2023-1138

ALT-PU-2023-1139

ALT-PU-2023-4335

ALT-PU-2023-4336

ALT-PU-2023-4339

ALT-PU-2023-5754

ALT-PU-2024-3614

BDU:2022-05497

CESA-2022_6164

CESA-2022_6169

CESA-2022_6175

CESA-2022_6179

CVE-2022-38473

DLA-3080-1

DLA-3097-1

DSA-5217-1

DSA-5221-1

MGASA-2022-0309

MGASA-2022-0315

OESA-2023-1673

OESA-2023-1674

OPENSUSE-SU-2022_3030-1

OPENSUSE-SU-2022_3281-1

OPENSUSE-SU-2022_3396-1

OPENSUSE-SU-2024:12286-1

OPENSUSE-SU-2024:12287-1

OPENSUSE-SU-2024:14572-1

RHSA-2022:6164

RHSA-2022:6165

RHSA-2022:6166

RHSA-2022:6167

RHSA-2022:6168

RHSA-2022:6169

RHSA-2022:6174

RHSA-2022:6175

RHSA-2022:6176

RHSA-2022:6177

RHSA-2022:6178

RHSA-2022:6179

RHSA-2022_6164

RHSA-2022_6165

RHSA-2022_6169

RHSA-2022_6174

RHSA-2022_6175

RHSA-2022_6179

RLSA-2022:6164

RLSA-2022:6175

SUSE-SU-2022:2984-1

SUSE-SU-2022:3007-1

SUSE-SU-2022:3030-1

SUSE-SU-2022:3272-1

SUSE-SU-2022:3273-1

SUSE-SU-2022:3281-1

SUSE-SU-2022:3396-1

USN-5581-1

USN-5663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Firefox

Firefox Esr

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2022-4619 · Mozilla+10 · Thunderbird+12

CVE-2022-38473

Weakness Enumeration

Related Identifiers

Affected Products

References · 2291