Risk | High |
Patch available | YES |
Number of vulnerabilities | 17 |
CVE-ID | CVE-2021-43535 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43534 CVE-2021-43536 CVE-2021-43546 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 |
CWE-ID | CWE-416 CWE-254 CWE-357 CWE-1021 CWE-119 CWE-200 CWE-451 CWE-704 CWE-20 CWE-835 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
firefox-esr (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
EUVDB-ID: #VU57889
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43535
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTTP/2 session object. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57876
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38503
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the iframe sandbox rules were not correctly applied to XSLT stylesheets. A remote attacker can load use an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57878
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38504
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when interacting with an HTML input element's file picker dialog with webkitdirectory
set. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57880
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38506
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to Firefox could have entered fullscreen mode without notification or warning to the user. A remote attacker can perform spoofing attacks on the browser UI.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57881
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38507
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining
the visual properties of an HTTP connection, including being
same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser from port 443 to port 8443,
causing the browser to treat the content of port 8443 as same-origin
with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57882
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38508
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Firefox displays the form validity message in the correct location at the same time as a permission prompt (such as for geolocation). The validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57883
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-38509
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of an unusual sequence of attacker-controlled events. A remote attacker can display a Javascript alert()
dialog with arbitrary (although unstyled) contents over top of arbitrary webpage of the attacker's choosing.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU57888
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43534
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58585
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43536
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to URL leakage when executing asynchronous functions. A remote attacker can trick the victim to open a specially crafted web page and reveal the URL of the page that is being visited afterwards.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58616
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43546
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data, when native cursor is zoomed. A remote attacker can perform cursor spoofing attack.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58586
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43537
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a type conversion error when processing sizes from 64bit to 32bit integers when using structured clone. A remote attacker can trick the victim to visit a specially crafted web page, trigger a heap-based buffer overflow and execute arbitrary code on the system.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58607
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43538
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a race in notification code. A remote attacker can hide the notification for pages that had received full screen and pointer lock access. Successful exploitation of the vulnerability may allow an attacker to perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58608
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43539
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in GC rooting when calling wasm instance methods. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58611
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43541
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling spaces in URLS with external protocol handlers. A remote attacker can trick the victim to click on a specially crafted link and pass unescaped input to a third-party application via URI handler.
Install update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58612
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43542
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way Firefox handles XMLHttpRequest requests. A remote attacker can initiate a XMLHttpRequest and identify installed applications by probing error messages for loading external protocols.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58613
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43543
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling CSP policies. Documents loaded with the CSP sandbox directive can escape the sandbox's script restriction by embedding additional content.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU58615
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43545
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when using Location API. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Debian package): 78.14.0esr-1~deb11u1 - 78.15.0esr-1~deb11u1
CPE2.3http://www.debian.org/security/2021/dsa-5026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.