An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use a compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This could lead to attackers gaining access to data, setting up phishing attacks, or carrying out other attacks as described in the Mozilla documentation. This vulnerability was found in the way objects are created and handled. It was a result of a bug in the JavaScript language implementation, and was fixed in Firefox 102, Firefox ESR 91.11, and Thunderbird 102.
References
Mozilla Security Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2022-2200
Mozilla Bug Report
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2022-2200
CVE-2023-2200
An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use a compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This vulnerability was found in the way objects are created and handled. It was a result of a bug in the JavaScript language implementation, and was fixed in Firefox 102, Firefox ESR 91.11, and Thunderbird 102.
Information disclosure vulnerability
In Thunderbird and Firefox, when an object is received in the messaging client, it is created as a prototype. It also creates a copy of itself on the server. This allows the object to be changed on the server before it is sent to the client. An attacker could host a specially crafted website or instant message that would cause Thunderbird or Firefox to use the compromised object as a prototype, setting any properties they wanted. An attacker could corrupt an object and inject malicious code into it before it is sent to the client. On the server, if the object was changed to have malicious code, privileged code could be executed. This could lead to attackers gaining access to data, setting up phishing attacks, or carrying out other attacks as described in the Mozilla documentation.
How Do I Use This Guide?
This guide will help you understand how to secure your computer against these threats.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 20:14:00 UTC