gsd - gsd-2022-45404

gsd-2022-45404

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Through a series of popup and <code>window.print()</code> calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

Aliases

CVE-2022-45404

Aliases

CVE-2022-45404

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-45404",
    "description": "Through a series of popup and \u003ccode\u003ewindow.print()\u003c/code\u003e calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107.",
    "id": "GSD-2022-45404",
    "references": [
      "https://www.debian.org/security/2022/dsa-5282",
      "https://www.debian.org/security/2022/dsa-5284",
      "https://advisories.mageia.org/CVE-2022-45404.html",
      "https://access.redhat.com/errata/RHSA-2022:8543",
      "https://access.redhat.com/errata/RHSA-2022:8544",
      "https://access.redhat.com/errata/RHSA-2022:8545",
      "https://access.redhat.com/errata/RHSA-2022:8547",
      "https://access.redhat.com/errata/RHSA-2022:8548",
      "https://access.redhat.com/errata/RHSA-2022:8549",
      "https://access.redhat.com/errata/RHSA-2022:8550",
      "https://access.redhat.com/errata/RHSA-2022:8552",
      "https://access.redhat.com/errata/RHSA-2022:8553",
      "https://access.redhat.com/errata/RHSA-2022:8554",
      "https://access.redhat.com/errata/RHSA-2022:8555",
      "https://access.redhat.com/errata/RHSA-2022:8556",
      "https://access.redhat.com/errata/RHSA-2022:8561",
      "https://access.redhat.com/errata/RHSA-2022:8580",
      "https://access.redhat.com/errata/RHSA-2022:8979",
      "https://access.redhat.com/errata/RHSA-2022:8980",
      "https://www.suse.com/security/cve/CVE-2022-45404.html",
      "https://ubuntu.com/security/CVE-2022-45404"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-45404"
      ],
      "details": "Through a series of popup and \u003ccode\u003ewindow.print()\u003c/code\u003e calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107.",
      "id": "GSD-2022-45404",
      "modified": "2023-12-13T01:19:24.906136Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2022-45404",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.5"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "102.5"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "107"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Through a series of popup and \u003ccode\u003ewindow.print()\u003c/code\u003e calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Fullscreen notification bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-47/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-47/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-49/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-49/"
          },
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-48/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-48/"
          },
          {
            "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1790815",
            "refsource": "MISC",
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1790815"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "107.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "102.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2022-45404"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Through a series of popup and \u003ccode\u003ewindow.print()\u003c/code\u003e calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-49/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-49/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-48/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-48/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-47/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-47/"
            },
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1790815",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1790815"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-01-04T16:07Z",
      "publishedDate": "2022-12-22T20:15Z"
    }
  }
}

CVE-2022-45404 (GCVE-0-2022-45404)

Vulnerability from cvelistv5

Published

2022-12-22 00:00

Modified

2025-04-15 15:14

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

Fullscreen notification bypass

Summary

References

URL

Tags

	https://www.mozilla.org/security/advisories/mfsa2022-47/
	https://www.mozilla.org/security/advisories/mfsa2022-49/
	https://www.mozilla.org/security/advisories/mfsa2022-48/
	https://bugzilla.mozilla.org/show_bug.cgi?id=1790815

Impacted products

Vendor

Product

Version

Mozilla

Firefox ESR

Version: unspecified < 102.5

	Mozilla	Thunderbird	Version: unspecified < 102.5
	Mozilla	Firefox	Version: unspecified < 107

Show details on NVD website