CVE-2022-28284

EPSS 0.45%
Published 22.12.2022 20:15:24
Last modified 16.04.2025 14:15:18
Source security@mozilla.org
Teams watchlist Login
Open Login

SVG's <code><use></code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Mozilla ≫ Firefox Version < 99.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.45%	0.631

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://www.mozilla.org/security/advisories/mfsa2022-13/

Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1754522

Vendor Advisory

Issue Tracking

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-28284

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28284

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28284

EUVD