PT-2022-4951 · Mozilla+4 · Firefox+4

Jack Wrenn

Published

2022-02-08

Updated

2024-12-12

CVE-2022-22755

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 97

Description The issue is related to insufficient control of resources during the existence of XML document transformations, allowing a remote attacker to cause a denial of service, bypass security restrictions, access confidential information, or execute arbitrary JavaScript code using a specially crafted XML document. A malicious web server could serve a user an XSL document that would continue to execute JavaScript within the bounds of the same-origin policy even after the tab was closed.

Recommendations For versions prior to 97, update to version 97 or later to resolve the issue. As a temporary workaround, consider restricting the use of XSL Transforms in Firefox until a patch is applied. Avoid using Firefox to access untrusted websites or XML documents from unknown sources until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-672CWE-664

Related Identifiers

ALT-PU-2022-1230

ALT-PU-2022-2458

ALT-PU-2022-2929

ALT-PU-2022-2930

ALT-PU-2023-1138

ALT-PU-2023-1139

ALT-PU-2023-4336

ALT-PU-2023-4339

BDU:2022-06144

CVE-2022-22755

OESA-2023-1673

OESA-2023-1674

OESA-2024-1288

OESA-2024-1308

OPENSUSE-SU-2024:11837-1

OPENSUSE-SU-2024:14572-1

USN-5284-1

Affected Products

Alt Linux

Astra Linux

Firefox

Linuxmint

Ubuntu

PT-2022-4951 · Mozilla+4 · Firefox+4

CVE-2022-22755

Weakness Enumeration

Related Identifiers

Affected Products

References · 2186