CVE-2022-28284

EPSS 0.45%
Veröffentlicht 22.12.2022 20:15:24
Zuletzt bearbeitet 16.04.2025 14:15:18
Quelle security@mozilla.org
Teams Watchlist Login
Unerledigt Login

SVG's <code><use></code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mozilla ≫ Firefox Version < 99.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.631

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://www.mozilla.org/security/advisories/mfsa2022-13/

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1754522

Vendor Advisory

Issue Tracking

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-28284

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28284

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28284

EUVD