Multiple vulnerabilities in Mozilla Firefox



| Updated: 2022-08-20
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-1802
CVE-2022-1529
CWE-ID CWE-94
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 Mozilla Firefox
Client/Desktop applications / Web browsers

Firefox ESR
Client/Desktop applications / Web browsers

Firefox for Android
Mobile applications / Apps for mobile phones

Vendor Mozilla

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Code Injection

EUVDB-ID: #VU63501

Risk: High

CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2022-1802

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to prototype pollution in Top-Level Await implementation. A remote attacker can trick the victim to visit a specially crafted website, corrupt the methods of an Array object in JavaScript via prototype pollution and execute arbitrary JavaScript code in a privileged context.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 90.0 - 100.0.1

Firefox ESR: 91.0 - 91.9.0

Firefox for Android: 90.1.0 - 100.2.0

CPE2.3 External links

https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
https://www.zerodayinitiative.com/advisories/ZDI-22-799/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU63502

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-1529

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input within the NotificationsDB module. A remote attacker can trick the victim to visit a specially crafted web page, which passes malicious messages to the parent process where the contents is used to double-index into a JavaScript object. As a result, an attacker can perform prototype pollution and execute arbitrary JavaScript code in the privileged parent process.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 90.0 - 100.0.1

Firefox ESR: 91.0 - 91.9.0

Firefox for Android: 90.1.0 - 100.2.0

CPE2.3 External links

https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
https://www.zerodayinitiative.com/advisories/ZDI-22-798/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###