CVE-2022-22761

Published: Dec 22, 2022Modified: Apr 16, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Web-accessible extension pages (pages with a moz-extension:// scheme) were not correctly enforcing the frame-ancestors directive when it was used in the Web Extension's Content Security Policy. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Affected (3)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 97.0
Mozilla Firefox Esr	Before 91.6
Mozilla Thunderbird	Before 91.6

Related CWEs

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (9)

https://bugzilla.mozilla.org/show_bug.cgi?id=1745566

Source: security@mozilla.org

Issue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-04/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-05/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-06/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1745566

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-04/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-05/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-06/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1745566

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Issue TrackingVendor Advisory

Timeline

No history available yet.