CVE-2022-28284

SVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mozillaCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
mozillafirefox
𝑥
< 99.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
lunar
Fixed 1:1snap1-0ubuntu1
released
kinetic
Fixed 1:1snap1-0ubuntu1
released
jammy
Fixed 1:1snap1-0ubuntu1
released
impish
Fixed 99.0+build2-0ubuntu0.21.10.2
released
focal
Fixed 99.0+build2-0ubuntu0.20.04.2
released
bionic
Fixed 99.0+build2-0ubuntu0.18.04.2
released
xenial
ignored
trusty
dne
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522
https://www.mozilla.org/security/advisories/mfsa2022-13/
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522
https://www.mozilla.org/security/advisories/mfsa2022-13/
https://bugzilla.mozilla.org/show_bug.cgi?id=1754522