The vulnerabilities reported in Mozilla Firefox can allow a remote attacker to bypass security restrictions, access sensitive information, perform spoofing attacks, execute arbitrary code and cause a denial of service on target systems.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
These vulnerabilities exist due to memory safety bugs within the browser that can be triggered while opening local <code>.Ink </code> files, preload cache that bypasses subresource integrity. This can cause a leak of cross-site resources while redirecting information when using the performance API.
The vulnerability can cause hanging of user interface while visiting a website with a long URL, mouse position spoofing with CSS transforms, directory indexes for bundled resources, and reflected URL parameters
The threat alert also points out that successful exploitation of these vulnerabilities can allow attackers to open specially crafted web requests and bypass security restrictions thus gaining access to sensitive information to perform spoofing attacks on targeted systems.
The vulnerabilities can be fixed by updating to Mozilla Firefox version 103, Mozilla Firefox ESR version 102.1 and 91.12.
In Oracle
Vulnerabilities have been reported in multiple Oracle products which can be exploited by attackers to execute arbitrary code to bypass security restrictions and gain unauthorised access to resources on targeted systems
The vulnerabilities have been reported in various components of Oracle products and some of them can be exploited over a network without requiring user credentials.
According to the report from CERT-In, these vulnerabilities can be used by an attacker to execute arbitrary code, bypass security restrictions and gain unauthorized access to restricted resources on the targeted system.
The report recommends applying appropriate security updates mentioned in Oracle’s critical security patch update for July 2022 to fix the vulnerabilities.