Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 60.7.2< 67.0.4Mozilla Thunderbird
APPMozilla< 60.7.2
CISA KEV — detailsi
- Vendori
- Mozilla ↗
- Producti
- Firefox and Thunderbird
- Added to KEVi
- May 23, 2022
- Remediation deadline (US Federal)i
- June 13, 2022(overdue)
Apply updates per vendor instructions.
Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird ...