GSD-2022-34478 — Vulnetix

GSD-2022-34478 PUBLISHED CVSS 6.5 MEDIUM

The <code>ms-msdt</code>, <code>search</code>, and <code>search-ms</code> protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Thunderbird), so in this release Thunderbird has blocked these protocols from prompting the user to open them.<br>*This bug only affects Thunderbird on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Mozilla	Firefox ESR	unspecified
Mozilla	Thunderbird	unspecified, *
Mozilla	Firefox	unspecified

Exploit Intelligence

https://www.mozilla.org/security/advisories/mfsa2022-24/ (circl)
https://www.mozilla.org/security/advisories/mfsa2022-26/ (circl)
https://www.mozilla.org/security/advisories/mfsa2022-25/ (circl)
https://bugzilla.mozilla.org/show_bug.cgi?id=1773717 (circl)
CIRCL seen: CVE-2022-34478 (circl-sighting)

Timeline

May 31, 2022 CVE Published
Oct 1, 2025 PoC Published

References

Open in Interactive Console →