Mozilla fixes high severity security vulnerabilities in Firefox 97, and Firefox ESR 91.6.

Mozilla fixes high severity security vulnerabilities in Firefox 97, and Firefox ESR 91.6.

Hey everyone,

Mozilla has fixed several high severity security vulnerabilities in Firefox 97, and Firefox ESR 91.6. The details of the vulnerabilities fixed are as follows:

Platform
CVE ID
Vulnerability
Impact
Firefox 97
CVE-2022-22753
Privilege Escalation to SYSTEM on Windows via Maintenance Service
High
Firefox 97
CVE-2022-22754
Extensions could have bypassed permission confirmation during update
High
Firefox 97
CVE-2022-22755
XSL could have allowed JavaScript execution after a tab was closed
Moderate
Firefox 97
CVE-2022-22756
Drag and dropping an image could have resulted in the dropped object being an executable  
Moderate
Firefox 97
CVE-2022-22757
Remote Agent did not prevent local websites from connecting  
Moderate
Firefox 97
CVE-2022-22758
tel: links could have sent USSD codes to the dialer on Firefox for Android
Moderate
Firefox 97
CVE-2022-22759
Sandboxed iframes could have executed script if the parent appended elements  
Moderate
Firefox 97
CVE-2022-22760
Cross-Origin responses could be distinguished between script and non-script content-types  
Moderate
Firefox 97
frame-ancestors Content Security Policy directive was not enforced for framed extension pages  
Moderate
Firefox 97
CVE-2022-22762
JavaScript Dialogs could have been displayed over other domains on Firefox for Android
Low
Firefox 97
CVE-2022-0511


Memory safety bugs fixed in Firefox 97



High




Firefox 97 and Firefox ESR 91.6
CVE-2022-22764
Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6
High




Firefox ESR 91.6
CVE-2022-22753
Privilege Escalation to SYSTEM on Windows via Maintenance Service
High
Firefox ESR 91.6
CVE-2022-22754
Extensions could have bypassed permission confirmation during update
High
Firefox ESR 91.6
CVE-2022-22756
Drag and dropping an image could have resulted in the dropped object being an executable
Moderate
Firefox ESR 91.6
CVE-2022-22759
Sandboxed iframes could have executed script if the parent appended elements
Moderate
Firefox ESR 91.6
CVE-2022-22760
Cross-Origin responses could be distinguished between script and non-script content-types
Moderate
Firefox ESR 91.6
CVE-2022-22761
frame-ancestors Content Security Policy directive was not enforced for framed extension pages
Moderate
Firefox ESR 91.6
CVE-2022-22763
Script Execution during invalid object state
Moderate

To install these patches, initiate a sync between the Central Patch Repository and the Desktop Central / Patch Manager Plus / Vulnerability Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.

 Patch ID
 Bulletin ID
Patch Description
323533
TU-027
Mozilla Firefox (x64) (97.0)
323532
TU-027
Mozilla Firefox (97.0)
323535
TU-054
Mozilla Firefox ESR (91) (x64) (91.6.0)
323534
TU-054
Mozilla Firefox ESR (91) (91.6.0)
603594
MAC-006
Mozilla Firefox For Mac (97.0)
603595
MAC-111
Mozilla Firefox ESR for MAC 91.6.0

Cheers,

The ManageEngine Team