CVE-2022-28284

Summary

SVG's <code>&lt;use&gt;</code> element could have been used to load unexpected content that could have executed script in certain circumstances. While the specification seems to allow this, other browsers do not, and web developers relied on this property for script security so gecko's implementation was aligned with theirs. This vulnerability affects Firefox < 99.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 99affected

Weaknesses

  • Script could be executed via svg's use element

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References