Request a Demo
Rewterz
Rewterz Threat Advisory – CVE-2022-38475 – Mozilla Firefox Vulnerability
August 24, 2022
Rewterz
Rewterz Threat Advisory – CVE-2022-2587 – Google Chrome OS Audio Server Exploit in the Wild
August 24, 2022

Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities

Severity

High

Analysis Summary

CVE-2022-38476 CVSS:8.8
Mozilla Firefox and Thunderbird could allow a remote attacker to execute arbitrary code on the system, caused by a data race in the PK11_ChangePW function that results in a use-after-free error. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-38473 CVSS:8.8
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by a cross-origin iframe referencing an XSLT document. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to inherit the parent domain’s permissions.

CVE-2022-38472 CVSS:6.5
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by the abuse of XSLT error handling. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the addressbar.

CVE-2022-38477 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-38478 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

  • Code Execution
  • Security Bypass
  • Unauthorized Access

Indicators Of Compromise

CVE

  • CVE-2022-38476
  • CVE-2022-38473
  • CVE-2022-38472
  • CVE-2022-38477
  • CVE-2022-38478

Affected Vendors

Mozilla

Affected Products

  • Mozilla Firefox 103
  • Mozilla Firefox ESR 102.1
  • Mozilla Firefox ESR 91.12
  • Mozilla Thunderbird 102.1
  • Mozilla Thunderbird 91.12

Remediation

Refer to Mozilla Security Advisory for patch, upgrade or suggested workaround information.
Mozilla Security Advisory