CVE-2022-28284

Published: Dec 22, 2022Modified: Apr 16, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

SVG's <code><use></code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.

Affected (1)

Products: Mozilla: Firefox

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 99.0

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (5)

https://bugzilla.mozilla.org/show_bug.cgi?id=1754522

Source: security@mozilla.org

Issue TrackingPermissions RequiredVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-13/

Source: security@mozilla.org

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1754522

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPermissions RequiredVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-13/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1754522

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Issue TrackingPermissions RequiredVendor Advisory

Timeline

No history available yet.