- CVSS
- HIGH · 8.8v3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Published
- 2022-12-22
- Weakness
- CWE-116, CWE-116
- Source
- nvd.nist.gov/vuln/detail/CVE-2022-22744
Description
The constructed curl command from the “Copy as curl” feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.
This bug only affects Thunderbird for Windows. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1737252
- https://www.mozilla.org/security/advisories/mfsa2022-01/
- https://www.mozilla.org/security/advisories/mfsa2022-02/
- https://www.mozilla.org/security/advisories/mfsa2022-03/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1737252
- https://www.mozilla.org/security/advisories/mfsa2022-01/
How GTK Cyber trains on this
AI security training at GTK Cyber covers the LLM and ML-pipeline vulnerability classes that vulnerabilities like CVE-2022-22744 fall into. Our hands-on courses are taught by Charles Givre and other practitioners who break and defend production AI systems.