Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Firefox_esr
(Mozilla)| Repositories | https://github.com/libevent/libevent |
| #Vulnerabilities | 1094 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-12-22 | CVE-2022-22761 | Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. | Firefox, Firefox_esr, Thunderbird | 8.8 | ||
| 2022-12-22 | CVE-2022-22760 | When importing resources using Web Workers, error messages would distinguish the difference between <code>application/javascript</code> responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6. | Firefox, Firefox_esr, Thunderbird | 6.5 | ||
| 2022-12-22 | CVE-2022-22763 | When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible. This vulnerability affects Firefox < 96, Thunderbird < 91.6, and Firefox ESR < 91.6. | Firefox, Firefox_esr, Thunderbird | 8.8 | ||
| 2022-12-22 | CVE-2022-26381 | An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. | Firefox, Firefox_esr, Thunderbird | 8.8 | ||
| 2022-12-22 | CVE-2022-26383 | When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. | Firefox, Firefox_esr, Thunderbird | 4.3 | ||
| 2022-12-22 | CVE-2022-26384 | If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. | Firefox, Firefox_esr, Thunderbird | 9.6 | ||
| 2022-12-22 | CVE-2022-26387 | When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. | Firefox, Firefox_esr, Thunderbird | 7.5 | ||
| 2022-12-22 | CVE-2022-26485 | Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. | Firefox, Firefox_esr, Firefox_focus, Thunderbird | 8.8 | ||
| 2022-12-22 | CVE-2022-26486 | An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0. | Firefox, Firefox_esr, Firefox_focus, Thunderbird | 9.6 | ||
| 2022-12-22 | CVE-2022-28281 | If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. | Firefox, Firefox_esr, Thunderbird | 8.8 |