CVE-2022-31744 : An attacker could have injected CSS into stylesheets accessible via internal URI

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.

Published 2022-12-22 20:15:30

Updated 2025-04-15 19:15:59

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2022-31744

Mozilla » Firefox
Versions before (<) 101.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions before (<) 91.11
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions before (<) 91.11
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31744

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31744

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2022-31744

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-31744

https://www.mozilla.org/security/advisories/mfsa2022-20/

Security Vulnerabilities fixed in Firefox 101 — Mozilla
Vendor Advisory

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1757604

Access Denied
Issue Tracking;Permissions Required;Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2022-25/

Security Vulnerabilities fixed in Firefox ESR 91.11 — Mozilla
Vendor Advisory

CVEs referencing this url
https://www.mozilla.org/security/advisories/mfsa2022-26/

Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 — Mozilla
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-31744

Products affected by CVE-2022-31744

Exploit prediction scoring system (EPSS) score for CVE-2022-31744

CVSS scores for CVE-2022-31744

CWE ids for CVE-2022-31744

References for CVE-2022-31744