Vulnerability Details : CVE-2022-45411
Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-45411
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-45411
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45411
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2022-45411
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-45411
-
https://www.mozilla.org/security/advisories/mfsa2022-49/
Security Vulnerabilities fixed in Thunderbird 102.5 — MozillaVendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2022-48/
Security Vulnerabilities fixed in Firefox ESR 102.5 — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1790311
Access DeniedIssue Tracking;Permissions Required;Vendor Advisory
-
https://www.mozilla.org/security/advisories/mfsa2022-47/
Security Vulnerabilities fixed in Firefox 107 — MozillaVendor Advisory
Jump to