Risk | High |
Patch available | YES |
Number of vulnerabilities | 8 |
CVE-ID | CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510 |
CWE-ID | CWE-254 CWE-416 CWE-200 CWE-357 CWE-1021 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
SUSE Linux Enterprise Module for Desktop Applications Operating systems & Components / Operating system MozillaFirefox-devel Operating systems & Components / Operating system package or component MozillaFirefox-translations-other Operating systems & Components / Operating system package or component MozillaFirefox-translations-common Operating systems & Components / Operating system package or component MozillaFirefox-debugsource Operating systems & Components / Operating system package or component MozillaFirefox-debuginfo Operating systems & Components / Operating system package or component MozillaFirefox Operating systems & Components / Operating system package or component |
Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
EUVDB-ID: #VU57876
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38503
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the iframe sandbox rules were not correctly applied to XSLT stylesheets. A remote attacker can load use an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57878
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38504
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when interacting with an HTML input element's file picker dialog with webkitdirectory
set. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57879
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38505
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to absence of support for a new feature in Windows 10 known as Cloud Clipboard that, if enabled, will record data copied to the clipboard to the
cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats, which were not implemented in previous versions of Firefox and Firefox ESR.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57880
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38506
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to Firefox could have entered fullscreen mode without notification or warning to the user. A remote attacker can perform spoofing attacks on the browser UI.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57881
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38507
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining
the visual properties of an HTTP connection, including being
same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser from port 443 to port 8443,
causing the browser to treat the content of port 8443 as same-origin
with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57882
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38508
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Firefox displays the form validity message in the correct location at the same time as a permission prompt (such as for geolocation). The validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MitigationUpdate the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57883
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38509
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of an unusual sequence of attacker-controlled events. A remote attacker can display a Javascript alert()
dialog with arbitrary (although unstyled) contents over top of arbitrary webpage of the attacker's choosing.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57884
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38510
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to silently download dangerous files on the system.
The vulnerability exists due to the executable file warning is not presented to the user when downloading .inetloc files. A remote attacker can silently download a potentially dangerous file to the user's system.
The vulnerability affects macOS operating system only.
Update the affected package MozillaFirefox to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Desktop Applications: 15-SP2 - 15-SP3
MozillaFirefox-devel: before 91.3.0-152.6.1
MozillaFirefox-translations-other: before 91.3.0-152.6.1
MozillaFirefox-translations-common: before 91.3.0-152.6.1
MozillaFirefox-debugsource: before 91.3.0-152.6.1
MozillaFirefox-debuginfo: before 91.3.0-152.6.1
MozillaFirefox: before 91.3.0-152.6.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20213745-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.