![]() ![]() #CVE-2022-26381: Use-after-free in text reflows Reporter Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative Impact high DescriptionĪn attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. When installing an add-on, Thunderbird verified the signature before prompting the user but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed. #CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures Reporter Armin Ebert Impact high Description If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. #CVE-2022-26384: iframe allow-scripts sandbox bypass Reporter Ed McManus Impact high Description When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. #CVE-2022-26383: Browser window spoof using fullscreen mode Reporter Irvan Kurniawan Impact high Description In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. Mozilla Foundation Security Advisory 2022-12 Security Vulnerabilities fixed in Thunderbird 91.7 Announced MaImpact high Products Thunderbird Fixed in
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |