Multiple vulnerabilities in Mozilla Firefox for Android
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-23977 CVE-2021-23976 |
| CWE-ID | CWE-367 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Race condition
EUVDB-ID: #VU50885
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23977
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: No
DescriptionThe vulnerability allows a malicious application to read sensitive information.
The vulnerability exists due to a race condition. A local application can read sensitive data from Firefox directories.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 80.1.2 - 85.1.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU50884
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23976
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local application to escalate privileges on the system.
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 80.1.2 - 85.1.3
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
