CVE-2022-26384

Published on: Not Yet Published

Last Modified on: 12/30/2022 08:56:00 PM UTC

CVE-2022-26384

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Certain versions of Firefox from Mozilla contain the following vulnerability:

If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

CVE-2022-26384 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
Affected Vendor/Software: Mozilla - Firefox version < 98
Affected Vendor/Software: Mozilla - Firefox ESR version < 91.7
Affected Vendor/Software: Mozilla - Thunderbird version < 91.7

CVSS3 Score: 9.6 - CRITICAL

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	REQUIRED
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
CHANGED	HIGH	HIGH	HIGH

CVE References

Description	Tags ^ⓘ	Link
Security Vulnerabilities fixed in Thunderbird 91.7 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-12/
1744352 - (CVE-2022-26384) Sandboxed iFrame XSS - javascript URI's run with target _blank	bugzilla.mozilla.org text/html	MISC bugzilla.mozilla.org/show_bug.cgi?id=1744352
Security Vulnerabilities fixed in Firefox ESR 91.7 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-11/
Security Vulnerabilities fixed in Firefox 98 — Mozilla	www.mozilla.org text/html	MISC www.mozilla.org/security/advisories/mfsa2022-10/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

159696 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0824)
159697 Oracle Enterprise Linux Security Update for firefox (ELSA-2022-0818)
159705 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0845)
159706 Oracle Enterprise Linux Security Update for thunderbird (ELSA-2022-0850)
179116 Debian Security Update for firefox-esr (DSA 5097-1)
179121 Debian Security Update for firefox-esr (DLA 2942-1)
179150 Debian Security Update for thunderbird (DSA 5106-1)
179152 Debian Security Update for thunderbird (DLA 2961-1)
198696 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5321-1)
198704 Ubuntu Security Notification for Firefox Vulnerabilities (USN-5321-2)
198711 Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5345-1)
240124 Red Hat Update for firefox (RHSA-2022:0817)
240132 Red Hat Update for firefox (RHSA-2022:0824)
240133 Red Hat Update for firefox (RHSA-2022:0818)
240136 Red Hat Update for firefox (RHSA-2022:0816)
240141 Red Hat Update for thunderbird (RHSA-2022:0853)
240142 Red Hat Update for thunderbird (RHSA-2022:0845)
240143 Red Hat Update for thunderbird (RHSA-2022:0843)
240145 Red Hat Update for thunderbird (RHSA-2022:0850)
240433 Red Hat Update for thunderbird (RHSA-2022:0847)
257161 CentOS Security Update for firefox (CESA-2022:0824)
257164 CentOS Security Update for thunderbird (CESA-2022:0850)
296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
353262 Amazon Linux Security Advisory for thunderbird : ALAS2-2022-1779
376457 Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2022-11)
376458 Mozilla Firefox Multiple Vulnerabilities (MFSA2022-10)
376462 Mozilla Thunderbird Multiple Vulnerabilities (MFSA2022-12)
502075 Alpine Linux Security Update for firefox-esr
502387 Alpine Linux Security Update for thunderbird
502690 Alpine Linux Security Update for firefox
710582 Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202208-08)
710585 Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202208-14)
751863 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0819-1)
751868 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0822-1)
751869 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:0821-1)
751876 OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2022:0821-1)
751915 OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2022:0906-1)
753085 SUSE Enterprise Linux Security Update for MozillaThunderbird (SUSE-SU-2022:0906-1)
753414 SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2022:14906-1)
940460 AlmaLinux Security Update for firefox (ALSA-2022:0818)
940465 AlmaLinux Security Update for thunderbird (ALSA-2022:0845)
960832 Rocky Linux Security Update for thunderbird (RLSA-2022:0845)
960834 Rocky Linux Security Update for firefox (RLSA-2022:0818)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Mozilla	Firefox	All	All	All	All
Application	Mozilla	Firefox Esr	All	All	All	All
Application	Mozilla	Thunderbird	All	All	All	All

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*:
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*:
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
/r/k12cybersecurity	UPDATED - Multiple Vulnerabilities in Mozilla Firefox Products Could Allow for Arbitrary Code Execution - PATCH: NOW	2022-03-08 22:00:53