Risk | High |
Patch available | YES |
Number of vulnerabilities | 10 |
CVE-ID | CVE-2021-23969 CVE-2021-23970 CVE-2021-23968 CVE-2021-23974 CVE-2021-23971 CVE-2021-23972 CVE-2021-23975 CVE-2021-23973 CVE-2021-23978 CVE-2021-23979 |
CWE-ID | CWE-358 CWE-617 CWE-79 CWE-254 CWE-451 CWE-399 CWE-200 CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
EUVDB-ID: #VU50879
Risk: Medium
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23969
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of W3C Content Security Policy. Under certain types of redirects Firefox incorrectly sets the source
file to be the destination of the redirects. A remote attacker can gain knowledge of the destination URL.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 85.0.2
Firefox ESR: 60.0 - 78.7.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
http://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50880
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23970
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a reachable assertion in multithreaded wasm code, when validating separation of script domains. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger an assertion failure and bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50881
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23968
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of W3C Content Security Policy. If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. A remote attacker can gain knowledge of sensitive information contained in such URIs. MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 85.0.2
Firefox ESR: 60.0 - 78.7.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
http://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50882
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23974
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The DOMParser API did not properly process <noscript>
elements for escaping. A remote attacker can bypass HTML Sanitizer and perform XSS attacks.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50883
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23971
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when processing a redirect with a conflicting Referrer-Policy. The browser adopts redirect's Referrer-Policy, which may result in disclosure of more information than intended by the original origin.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50886
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23972
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of cached redirects with HTTP authentication. A remote attacker can force the browser not to display a phishing warning dialog, if the malicious website was previously cached by the browser.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50887
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23975
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked, the browser called the sizeof function instead of using the API method that checks for invalid pointers.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50888
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23973
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output via a decoding error, when trying to load a cross-origin resource in an audio/video context. A remote attacker can gain access to information about the resource.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 6.0 - 85.0.2
Firefox ESR: 60.0 - 78.7.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
http://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50889
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23978
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 85.0.2
Firefox ESR: 60.0 - 78.7.1
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
http://www.mozilla.org/en-US/security/advisories/mfsa2021-08/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50890
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23979
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 85.0.2
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2021-07/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.