Severity Rating: HIGH

Software Affected

Mozilla Firefox versions prior to 108

Mozilla Firefox ESR versions prior to 102.6

Mozilla Thunderbird versions prior to 102.6

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, Mozilla Thunderbird and Mozilla Firefox ESR which could be exploited by a remote attacker to perform spoofing attack, execute arbitrary code, bypass security restrictions, gain access to potentially sensitive information, perform memory corruption and a potentially exploitable crash on the targeted system.

Description

These vulnerabilities exist in Mozilla products due to a Use-after-free & Memory corruption in WebGL, Arbitrary file read from a compromised content process like clipboard-related IPC messages (for Linux), Insufficient validation of long filenames extension during drag and drop actions, Bypass of download protections by .atloc and .ftploc files (on Mac OS), libusrsctp library out of date, delay or suppression of fullscreen notification and missing of the unsafe-hashes CSP directive implementation. An attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted Website. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted Web site.

Successful exploitation of these vulnerabilities could allow the remote attacker to perform a spoofing attack, execute arbitrary code, bypass security restrictions, gain access to potentially sensitive information, perform memory corruption and a potentially exploitable crash on the targeted system.

Solution

Apply appropriate fixes as mentioned in Mozilla Security advisories:

Vendor Information

Mozilla

References

Mozilla

Center for Internet Security

CVE Name

CVE-2022-46871

CVE-2022-46872

CVE-2022-46873

CVE-2022-46874

CVE-2022-46875

CVE-2022-46877

CVE-2022-46878

CVE-2022-46879

CVE-2022-46880

CVE-2022-46881

CVE-2022-46882