CVE-2022-38472

MEDIUM

Thunderbird <102.2-Firefox <104 - CSRF

Title source: llm

Description

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird < 102.2, Thunderbird < 91.13, Firefox ESR < 91.13, Firefox ESR < 102.2, and Firefox < 104.

References (6)

[Issue Tracking, Permissions Required, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1769155

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-33/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-34/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-35/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-36/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-37/

Scores

CVSS v3 6.5

EPSS 0.0017

EPSS Percentile 38.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Classification

CWE

CWE-346

Status published

Affected Products (2)

mozilla/firefox < 104.0

mozilla/thunderbird < 91.13

Timeline

Published Dec 22, 2022

Tracked Since Feb 18, 2026