CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29993
https://notcve.org/view.php?id=CVE-2021-29993
03 Nov 2021 — Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92. Firefox para Android permitía una navegación mediante el protocolo "intent://", lo que podía ser usado para causar bloqueos y falsificaciones de la Interfaz de Usuario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1712242%2C1708767%2C1712240%2C1708544%2C1729259 •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2021-38492 – Gentoo Linux Security Advisory 202208-14
https://notcve.org/view.php?id=CVE-2021-38492
03 Nov 2021 — When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1. Cuando se delegaba la navegación al sistema operativo, Firefox aceptaba el esquema "mk" que podía perm... • https://bugzilla.mozilla.org/show_bug.cgi?id=1721107 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38494
https://notcve.org/view.php?id=CVE-2021-38494
03 Nov 2021 — Mozilla developers reported memory safety bugs present in Firefox 91. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 92. Los desarrolladores de Mozilla informaron de bugs de seguridad de memoria presentes en Firefox versión 91. Algunos de estos bugs mostraban evidencias de corrupción de memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían hab... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1723920%2C1725638 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38507 – Mozilla: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
https://notcve.org/view.php?id=CVE-2021-38507
03 Nov 2021 — The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as sam... • https://bugzilla.mozilla.org/show_bug.cgi?id=1730935 • CWE-346: Origin Validation Error CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38506 – Mozilla: Firefox could be coaxed into going into fullscreen mode without notification or warning
https://notcve.org/view.php?id=CVE-2021-38506
03 Nov 2021 — Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Mediante de una serie de navegaciones, Firefox podría haber entrado en modo de pantalla completa sin notificación o advertencia al usuario. Esto podría conllevar a ataques de suplantación de identidad en la Interfaz de Usuario del n... • https://bugzilla.mozilla.org/show_bug.cgi?id=1730750 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.1EPSS: 1%CPEs: 6EXPL: 0CVE-2021-38508 – Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
https://notcve.org/view.php?id=CVE-2021-38508
03 Nov 2021 — By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Al mostrar un mensaje de comprobación del formulario en la ubicación correcta al mismo tiempo que una solicitud de permiso (como para la geolocalización), el mensaje d... • https://bugzilla.mozilla.org/show_bug.cgi?id=1366818 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38504 – Mozilla: Use-after-free in file picker dialog
https://notcve.org/view.php?id=CVE-2021-38504
03 Nov 2021 — When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Cuando se interactúa con el diálogo del selector de archivos de un elemento de entrada HTML con webkitdirectory configurado, podría haberse producido un uso de memoria previamente liberada, conllevando a una corrupción de memoria y ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1730156 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38503 – Mozilla: iframe sandbox rules did not apply to XSLT stylesheets
https://notcve.org/view.php?id=CVE-2021-38503
03 Nov 2021 — The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Las reglas del sandbox de iframe no se aplicaban correctamente a las hojas de estilo XSLT, permitiendo a un iframe omitir restricciones como la ejecución de scripts o la navegación por el marco de nivel superior. Esta vulnerabilidad afecta a Firefox v... • https://bugzilla.mozilla.org/show_bug.cgi?id=1729517 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 2%CPEs: 6EXPL: 0CVE-2021-38509 – Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain
https://notcve.org/view.php?id=CVE-2021-38509
03 Nov 2021 — Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Debido a una secuencia inusual de eventos controlados por el atacante, un diálogo Javascript alert() con contenido arbitrario (aunque sin estilo) podría mostrarse encima de una página web no controlada de la elección ... • https://bugzilla.mozilla.org/show_bug.cgi?id=1718571 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-38500 – Mozilla: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2
https://notcve.org/view.php?id=CVE-2021-38500
11 Oct 2021 — Mozilla developers reported memory safety bugs present in Firefox 92 and Firefox ESR 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. Los desarrolladores de Mozilla informaron de bugs de seguridad de memoria presentes en Firefox 92 y Firefox ESR 91.1. Algunos de estos b... • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1725854%2C1728321 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •