CVE-2022-22756
HIGHFirefox < 97.0 and Firefox ESR < 91.6 - Arbitrary Code Execution via Drag-and-Drop Image
Title source: llmDescription
If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.
References (4)
Core 4
Core References
Exploit, Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1317873
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-04/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-05/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-06/
Scores
CVSS v3
8.8
EPSS
0.0024
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
mozilla/firefox
< 97.0
mozilla/firefox_esr
< 91.6
mozilla/thunderbird
< 91.6
Published
Dec 22, 2022
Tracked Since
Feb 18, 2026