usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.

**usememos/memos vulnerable to account takeover due to improper access control**

High severity GitHub Reviewed Published Dec 23, 2022 • Updated Dec 27, 2022

GHSA-w57v-6xp4-rm2v: usememos/memos vulnerable to account takeover due to improper access control

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-36354: TALOS-2022-1629 || Cisco Talos Intelligence Group

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.<br>*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 100.

Sorry, I can't find "_1757138?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29910: Invalid Bug ID

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects. This vulnerability affects Firefox < 100.

**Mozilla Foundation Security Advisory 2022-16**

Announced

May 3, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 100

**#CVE-2022-29914: Fullscreen notification bypass using popups**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

**References**

*   Bug 1746448

**#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts**

Reporter

Armin Ebert

Impact

high

**Description**

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

**References**

*   Bug 1755081

**#CVE-2022-29916: Leaking browser history with CSS variables**

Reporter

Mateusz Sionkowski

Impact

high

**Description**

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

**References**

*   Bug 1760674

**#CVE-2022-29911: iframe Sandbox bypass**

Reporter

Trung Pham

Impact

high

**Description**

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

**References**

*   Bug 1761981

**#CVE-2022-29912: Reader mode bypassed SameSite cookies**

Reporter

Matheus Vrech

Impact

moderate

**Description**

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

**References**

*   Bug 1692655

**#CVE-2022-29910: Firefox for Android forgot HTTP Strict Transport Security settings**

Reporter

Mark B

Impact

moderate

**Description**

When closed or sent to the background, Firefox for Android would not properly record and persist HSTS settings.  
_Note: This issue only affected Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1757138

**#CVE-2022-29915: Leaking cross-origin redirect through the Performance API**

Reporter

Sohom Datta

Impact

low

**Description**

The Performance API did not properly hide the fact whether a request cross-origin resource has observed redirects.

**References**

*   Bug 1751678

**#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

**#CVE-2022-29918: Memory safety bugs fixed in Firefox 100**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Randell Jesup and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100

CVE-2022-29915: Security Vulnerabilities fixed in Firefox 100

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

**Mozilla Foundation Security Advisory 2022-17**

Announced

May 3, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.9

**#CVE-2022-29914: Fullscreen notification bypass using popups**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks.

**References**

*   Bug 1746448

**#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts**

Reporter

Armin Ebert

Impact

high

**Description**

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions.

**References**

*   Bug 1755081

**#CVE-2022-29916: Leaking browser history with CSS variables**

Reporter

Mateusz Sionkowski

Impact

high

**Description**

Firefox behaved slightly differently for already known resources when loading CSS resources involving CSS variables. This could have been used to probe the browser history.

**References**

*   Bug 1760674

**#CVE-2022-29911: iframe Sandbox bypass**

Reporter

Trung Pham

Impact

high

**Description**

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present.

**References**

*   Bug 1761981

**#CVE-2022-29912: Reader mode bypassed SameSite cookies**

Reporter

Matheus Vrech

Impact

moderate

**Description**

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute.

**References**

*   Bug 1692655

**#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight, Gabriele Svelto, Tom Ritter and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 99 and Firefox ESR 91.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9

CVE-2022-29909: Security Vulnerabilities fixed in Firefox ESR 91.9

The parent process would not properly check whether the Speech Synthesis feature is enabled, when receiving instructions from a child process. This vulnerability affects Thunderbird < 91.9.

Sorry, I can't find "_1764778?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-29913: Invalid Bug ID

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

**Mozilla Foundation Security Advisory 2022-02**

Announced

January 11, 2022

Impact

high

Products

Firefox ESR

Fixed in

*   Firefox ESR 91.5

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Thunderbird for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Thunderbird into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

CVE-2021-4140: Security Vulnerabilities fixed in Firefox ESR 91.5

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

**Mozilla Foundation Security Advisory 2022-01**

Announced

January 11, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 96

**#CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1735071

**#CVE-2022-22743: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When navigating from inside an iframe while requesting fullscreen access, an attacker-controlled tab could have made the browser unable to leave fullscreen mode.

**References**

*   Bug 1739220

**#CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When inserting text while in edit mode, some characters might have lead to out-of-bounds memory access causing a potentially exploitable crash.

**References**

*   Bug 1739923

**#CVE-2022-22741: Browser window spoof using fullscreen mode**

Reporter

Irvan Kurniawan

Impact

high

**Description**

When resizing a popup while requesting fullscreen access, the popup would have become unable to leave fullscreen mode.

**References**

*   Bug 1740389

**#CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1742334

**#CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur**

Reporter

Atte Kettunen

Impact

high

**Description**

Applying a CSS filter effect could have accessed out of bounds memory. This could have lead to a heap-buffer-overflow causing a potentially exploitable crash.

**References**

*   Bug 1742382

**#CVE-2022-22737: Race condition when playing audio files**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

high

**Description**

Constructing audio sinks could have lead to a race condition when playing audio files and closing windows. This could have lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1745874

**#CVE-2021-4140: Iframe sandbox bypass with XSLT**

Reporter

Peter Van der Beken

Impact

high

**Description**

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox.

**References**

*   Bug 1746720

**#CVE-2022-22750: IPC passing of resource handles could have lead to sandbox bypass**

Reporter

Jed Davis

Impact

moderate

**Description**

By generally accepting and passing resource handles across processes, a compromised content process might have confused higher privileged processes to interact with handles that the unprivileged process should not have access to.  
_This bug only affects Firefox for Windows and MacOS. Other operating systems are unaffected._

**References**

*   Bug 1566608

**#CVE-2022-22749: Lack of URL restrictions when scanning QR codes**

Reporter

Wladimir Palant working with Include Security

Impact

moderate

**Description**

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1705094

**#CVE-2022-22748: Spoofed origin on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

moderate

**Description**

Malicious websites could have confused Firefox into showing the wrong origin when asking to launch a program and handling an external URL protocol.

**References**

*   Bug 1705211

**#CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event**

Reporter

Jannis Rautenstrauch

Impact

moderate

**Description**

Securitypolicyviolation events could have leaked cross-origin information for frame-ancestors violations

**References**

*   Bug 1735856

**#CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection**

Reporter

Mattias Jacobsson

Impact

moderate

**Description**

The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.  
_This bug only affects Firefox for Windows. Other operating systems are unaffected._

**References**

*   Bug 1737252

**#CVE-2022-22763: Script Execution during invalid object state**

Reporter

Mozilla Fuzzing Team

Impact

moderate

**Description**

When a worker is shutdown, it was possible to cause script to run late in the lifecycle, at a point after where it should not be possible.

**References**

*   Bug 1740534

**#CVE-2022-22747: Crash when handling empty pkcs7 sequence**

Reporter

Tavis Ormandy

Impact

low

**Description**

After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable.

**References**

*   Bug 1735028

**#CVE-2022-22736: Potential local privilege escalation when loading modules from the install directory.**

Reporter

Toshihito Kikuchi

Impact

low

**Description**

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.  
_This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected._

**References**

*   Bug 1742692

**#CVE-2022-22739: Missing throttling on external protocol launch dialog**

Reporter

Alesandro Ortiz

Impact

low

**Description**

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol.

**References**

*   Bug 1744158

**#CVE-2022-22751: Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason Kratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported memory safety bugs present in Firefox 95 and Firefox ESR 91.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96 and Firefox ESR 91.5

**#CVE-2022-22752: Memory safety bugs fixed in Firefox 96**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 96

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash. This vulnerability affects Firefox < 99.

**Mozilla Foundation Security Advisory 2022-13**

Announced

April 5, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 99

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potentially exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28283: Missing security checks for fetching sourceMapURL**

Reporter

Gijs

Impact

moderate

**Description**

The sourceMapURL feature in devtools was missing security checks that would have allowed a webpage to attempt to include local files or other files that should have been inaccessible.

**References**

*   Bug 1754066

**#CVE-2022-28284: Script could be executed via svg's use element**

Reporter

Leo Balter

Impact

moderate

**Description**

SVG's <use> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs.

**References**

*   Bug 1754522

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-28287: Text Selection could crash Firefox**

Reporter

Aryan Sinha

Impact

low

**Description**

In unusual circumstances, selecting text could cause text selection caching to behave incorrectly, leading to a crash.

**References**

*   Bug 1741515

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

**#CVE-2022-28288: Memory safety bugs fixed in Firefox 99**

Reporter

Mozilla developers

Impact

moderate

**Description**

Mozilla developers and community members Randell Jesup, Sebastian Hengst, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 99

CVE-2022-28287: Security Vulnerabilities fixed in Firefox 99

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash. This vulnerability affects Thunderbird < 91.8 and Firefox ESR < 91.8.

**Mozilla Foundation Security Advisory 2022-15**

Announced

April 5, 2022

Impact

high

Products

Thunderbird

Fixed in

*   Thunderbird 91.8

_In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts._

**#CVE-2022-1097: Use-after-free in NSSToken objects**

Reporter

Randell Jesup

Impact

high

**Description**

NSSToken objects were referenced via direct points, and could have been accessed in an unsafe way on different threads, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1745667

**#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions**

Reporter

Axel '0vercl0k' Souchet

Impact

high

**Description**

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash.

**References**

*   Bug 1755621

**#CVE-2022-1197: OpenPGP revocation information was ignored**

Reporter

Thunderbird user Johannes König

Impact

moderate

**Description**

When importing a revoked key that specified key compromise as the revocation reason, Thunderbird did not update the existing copy of the key that was not yet revoked, and the existing key was kept as non-revoked. Revocation statements that used another revocation reason, or that didn't specify a revocation reason, were unaffected.

**References**

*   Bug 1754985

**#CVE-2022-1196: Use-after-free after VR Process destruction**

Reporter

bo13oy of Cyber Kunlun Lab

Impact

moderate

**Description**

After a VR Process is destroyed, a reference to it may have been retained and used, leading to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1750679

**#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument**

Reporter

Kirin

Impact

moderate

**Description**

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash.

**References**

*   Bug 1751609

**#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen**

Reporter

Lukas Bernhard

Impact

moderate

**Description**

When generating the assembly code for MLoadTypedArrayElementHole, an incorrect AliasSet was used. In conjunction with another vulnerability this could have been used for an out of bounds memory read.

**References**

*   Bug 1756957

**#CVE-2022-28286: iframe contents could be rendered outside the border**

Reporter

prada960808

Impact

low

**Description**

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks.

**References**

*   Bug 1735265

**#CVE-2022-24713: Denial of Service via complex regular expressions**

Reporter

Addison Crump and Jan-Erik Rediger

Impact

low

**Description**

The rust regex crate did not properly prevent crafted regular expressions from taking an arbitrary amount of time during parsing. If an attacker was able to supply input to this crate, they could have caused a denial of service in the browser.

**References**

*   Bug 1758509

**#CVE-2022-28289: Memory safety bugs fixed in Thunderbird 91.8**

Reporter

Mozilla developers and community

Impact

high

**Description**

Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 91.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Thunderbird 91.8

Tag

#perl