CVE-2022-38472
Published: 24 August 2022
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.
Notes
Author | Note |
---|---|
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
Priority
Status
Package | Release | Status |
---|---|---|
firefox Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
xenial |
Ignored
(end of standard support)
|
|
bionic |
Released
(104.0+build3-0ubuntu0.18.04.1)
|
|
focal |
Released
(104.0+build3-0ubuntu0.20.04.1)
|
|
jammy |
Not vulnerable
(code not present)
|
|
upstream |
Released
(104)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Not vulnerable
(code not present)
|
|
thunderbird Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
bionic |
Released
(1:102.2.2+build1-0ubuntu0.18.04.1)
|
|
focal |
Released
(1:102.2.2+build1-0ubuntu0.20.04.1)
|
|
jammy |
Released
(1:102.2.2+build1-0ubuntu0.22.04.1)
|
|
upstream |
Released
(91.13)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Not vulnerable
(1:102.3.3+build1-0ubuntu1)
|
|
xenial |
Ignored
(end of standard support)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |