{"id":"MGASA-2022-0309","summary":"Updated firefox/nss packages fix security vulnerability","details":"An attacker could have abused XSLT error handling to associate\nattacker-controlled content with another origin which was displayed in the\naddress bar. This could have been used to fool the user into submitting\ndata intended for the spoofed origin (CVE-2022-38472).\n\nA cross-origin iframe referencing an XSLT document would inherit the\nparent domain's permissions (such as microphone or camera access)\n(CVE-2022-38473).\n\nMembers the Mozilla Fuzzing Team reported memory safety bugs present in\nFirefox ESR 91.12. Some of these bugs showed evidence of memory corruption\nand we presume that with enough effort some of these could have been\nexploited to run arbitrary code (CVE-2022-38478).\n","modified":"2026-04-16T00:12:44.044367803Z","published":"2022-08-25T21:21:07Z","upstream":["CVE-2022-38472","CVE-2022-38473","CVE-2022-38478"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0309.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30765"},{"type":"WEB","url":"https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/oOKOnyGPMQQ"},{"type":"WEB","url":"https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uceBXfAG1pM"},{"type":"WEB","url":"https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_82.html"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2022-35/"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2022:6174"}],"affected":[{"package":{"name":"firefox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.13.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0309.json"}},{"package":{"name":"firefox-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.13.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0309.json"}},{"package":{"name":"nspr","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nspr?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.34.1-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0309.json"}},{"package":{"name":"nss","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nss?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.82.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0309.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}