CVE-2022-32308

NameCVE-2022-32308
DescriptionCross Site Scripting (XSS) vulnerability in uBlock Origin extension before 1.41.1 allows remote attackers to run arbitrary code via a spoofed 'MessageSender.url' to the browser renderer process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3062-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ublock-origin (PTS)buster1.42.0+dfsg-1~deb10u1fixed
bullseye1.42.0+dfsg-1~deb11u1fixed
bookworm1.46.0+dfsg-1fixed
sid, trixie1.57.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ublock-originsourcestretch1.42.0+dfsg-1~deb9u1DLA-3062-1
ublock-originsourcebuster1.42.0+dfsg-1~deb10u1
ublock-originsourcebullseye1.42.0+dfsg-1~deb11u1
ublock-originsource(unstable)1.42.0+dfsg-1

Notes

https://github.com/uBlockOrigin/uBlock-issues/issues/1992
https://github.com/gorhill/uBlock/commit/e1e2ba3d5d00112f74464ddcc9f561f065dd3623 (1.41.5b2)
https://github.com/gorhill/uBlock/commit/60072e7996e58cd7cca5186fde742d83cc6a612c (1.41.7b0)
Search for package or bug name: Reporting problems