Mozilla fixes high severity security vulnerabilities in Firefox 97, and Firefox ESR 91.6.
Hey everyone,
Mozilla has fixed several high severity security vulnerabilities in Firefox 97, and Firefox ESR 91.6. The details of the vulnerabilities fixed are as follows:
Platform | CVE ID | Vulnerability | Impact |
Firefox 97 | CVE-2022-22753 | Privilege Escalation to SYSTEM on Windows via Maintenance Service | High |
Firefox 97 | CVE-2022-22754 | Extensions could have bypassed permission confirmation during update | High |
Firefox 97 | CVE-2022-22755 | XSL could have allowed JavaScript execution after a tab was closed | Moderate |
Firefox 97 | CVE-2022-22756 | Drag and dropping an image could have resulted in the dropped object being an executable | Moderate |
Firefox 97 | CVE-2022-22757 | Remote Agent did not prevent local websites from connecting | Moderate |
Firefox 97 | CVE-2022-22758 | tel: links could have sent USSD codes to the dialer on Firefox for Android | Moderate |
Firefox 97 | CVE-2022-22759 | Sandboxed iframes could have executed script if the parent appended elements | Moderate |
Firefox 97 | CVE-2022-22760 | Cross-Origin responses could be distinguished between script and non-script content-types | Moderate |
Firefox 97 | frame-ancestors Content Security Policy directive was not enforced for framed extension pages | Moderate | |
Firefox 97 | CVE-2022-22762 | JavaScript Dialogs could have been displayed over other domains on Firefox for Android | Low |
Firefox 97 | CVE-2022-0511 | Memory safety bugs fixed in Firefox 97 | High |
| Firefox 97 and Firefox ESR 91.6 | CVE-2022-22764 | Memory safety bugs fixed in Firefox 97 and Firefox ESR 91.6 | High |
Firefox ESR 91.6 | CVE-2022-22753 | Privilege Escalation to SYSTEM on Windows via Maintenance Service | High |
Firefox ESR 91.6 | CVE-2022-22754 | Extensions could have bypassed permission confirmation during update | High |
Firefox ESR 91.6 | CVE-2022-22756 | Drag and dropping an image could have resulted in the dropped object being an executable | Moderate |
Firefox ESR 91.6 | CVE-2022-22759 | Sandboxed iframes could have executed script if the parent appended elements | Moderate |
Firefox ESR 91.6 | CVE-2022-22760 | Cross-Origin responses could be distinguished between script and non-script content-types | Moderate |
Firefox ESR 91.6 | CVE-2022-22761 | frame-ancestors Content Security Policy directive was not enforced for framed extension pages | Moderate |
Firefox ESR 91.6 | CVE-2022-22763 | Script Execution during invalid object state | Moderate |
To install these patches, initiate a sync between the Central Patch Repository and the Desktop Central / Patch Manager Plus / Vulnerability Manager Plus server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.
Patch ID | Bulletin ID | Patch Description |
323533 | TU-027 | Mozilla Firefox (x64) (97.0) |
323532 | TU-027 | Mozilla Firefox (97.0) |
323535 | TU-054 | Mozilla Firefox ESR (91) (x64) (91.6.0) |
323534 | TU-054 | Mozilla Firefox ESR (91) (91.6.0) |
603594 | MAC-006 | Mozilla Firefox For Mac (97.0) |
603595 | MAC-111 | Mozilla Firefox ESR for MAC 91.6.0 |
Cheers,
The ManageEngine Team