Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia: 2022-0251 Critical: Firefox Code Execution Risks

mageia
Calendar Grey July 5, 2022
Dist Mageia Esm H88
Recent updates for Firefox have addressed security vulnerabilities and incorporated essential patches for Mageia users.
If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution (CVE-2022-22...

Summary

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution (CVE-2022-2200).
An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy (CVE-2022-31744).
Content Security Policy sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI. An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link (CVE-2022-34468).
Navigations between XML documents may have led to a use-after-free in nsSHistory and potentially exploitable crash (CVE-2022-34470).
If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown (CVE-2022-34472).
A malicious website that could create a popup could have resized the popup to overlay th...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30583

- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/EvvZnF-wh14

- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_80.html

- https://www.mozilla.org/en-US/security/advisories/mfsa2022-25/

- https://www.cve.org/CVERecord?id=CVE-2022-2200

- https://www.cve.org/CVERecord?id=CVE-2022-31744

- https://www.cve.org/CVERecord?id=CVE-2022-34468

- https://www.cve.org/CVERecord?id=CVE-2022-34470

- https://www.cve.org/CVERecord?id=CVE-2022-34472

- https://www.cve.org/CVERecord?id=CVE-2022-34479

- https://www.cve.org/CVERecord?id=CVE-2022-34481

- https://www.cve.org/CVERecord?id=CVE-2022-34484

Topics%20covered

Topics Covered

security advisory critical code execution firefox security issues JavaScript Mageia

Resolution

SRPMS

- 8/core/firefox-91.11.0-1.mga8

- 8/core/firefox-l10n-91.11.0-1.mga8

- 8/core/rootcerts-20220610.00-1.mga8

- 8/core/nss-3.80.0-1.mga8

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 05 Jul 2022
URL: https://advisories.mageia.org/MGASA-2022-0251.html
Type: security
CVE: CVE-2022-2200, CVE-2022-31744, CVE-2022-34468, CVE-2022-34470, CVE-2022-34472, CVE-2022-34479, CVE-2022-34481, CVE-2022-34484

Topics%20covered

Topics Covered

security advisory critical code execution firefox security issues JavaScript Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here