First published: Tue Sep 20 2022(Updated: )
By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <102.3 | 102.3 |
<105 | 105 | |
<102.3 | 102.3 | |
<102.3 | 102.3 | |
Mozilla Firefox | <105.0 | |
Mozilla Firefox ESR | <102.3 | |
Mozilla Thunderbird | <102.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
The vulnerability ID is CVE-2022-40958.
The severity level of CVE-2022-40958 is medium.
CVE-2022-40958 affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
An attacker can exploit CVE-2022-40958 by injecting a cookie with certain special characters on a shared subdomain to set and overwrite cookies from a secure context.
Yes, updating to Firefox ESR version 102.3 or higher, Thunderbird version 102.3 or higher, or Firefox version 105 or higher will remediate CVE-2022-40958.