Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 60.7.2< 67.0.4Mozilla Thunderbird
APPMozilla< 60.7.2
CISA KEV — szczegółyi
- Dostawcai
- Mozilla ↗
- Produkti
- Firefox and Thunderbird
- Data dodania do KEVi
- 23 maja 2022
- Termin remediation (USA)i
- 13 czerwca 2022(po terminie)
Zastosuj aktualizacje zgodnie z instrukcjami producenta.
▸ Pokaż oryginał (EN)
Apply updates per vendor instructions.
Mozilla Firefox i Thunderbird zawierają lukę sandbox escape, która może prowadzić do remote code execution.
▸ Pokaż oryginał (EN)
Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
Powiązane podatności
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird ...