CVE-2022-22754

Published: Dec 22, 2022Modified: Apr 16, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new version the new requested permissions. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 97.0
Mozilla Firefox Esr	Before 91.6
Mozilla Thunderbird	Before 91.6

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1750565

Source: security@mozilla.org

Issue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-04/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-05/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-06/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1750565

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-04/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-05/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-06/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.