#VU64762 Code Injection in Mozilla Firefox - CVE-2022-2200
Vulnerability identifier: #VU64762
Vulnerability risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-94
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mozilla Firefox
Client/Desktop applications /
Web browsers
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation when handling JavaScript attributes. A remote attacker can pass undesired attributes to JavaScript object and perform prototype pollution and execute arbitrary JavaScript code in the browser.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Mozilla Firefox: 90.0 - 101.0.1
External links
https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
