CVE-2022-28284

EUVD-2022-32736
SVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
< 99.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
bionic
Fixed 99.0+build2-0ubuntu0.18.04.2
released
focal
Fixed 99.0+build2-0ubuntu0.20.04.2
released
impish
Fixed 99.0+build2-0ubuntu0.21.10.2
released
jammy
Fixed 1:1snap1-0ubuntu1
released
kinetic
Fixed 1:1snap1-0ubuntu1
released
lunar
Fixed 1:1snap1-0ubuntu1
released
trusty
dne
xenial
ignored
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522
https://www.mozilla.org/security/advisories/mfsa2022-13/
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522
https://www.mozilla.org/security/advisories/mfsa2022-13/
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522