CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38508 – Mozilla: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
https://notcve.org/view.php?id=CVE-2021-38508
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Al mostrar un mensaje de comprobación del formulario en la ubicación correcta al mismo tiempo que una solicitud de permiso (como para la geolocalización), el mensaje de comprobación podría haber ocultado la solicitud, resultando en que el usuario podría ser engañado para conceder el permiso. Esta vulnerabilidad afecta a Firefox versiones anteriores a 94, Thunderbird versiones anteriores a 91.3 y Firefox ESR versiones anteriores a 91.3 • https://bugzilla.mozilla.org/show_bug.cgi?id=1366818 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-48 https://www.mozilla.org/security/advisories/mfsa2021-49 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38509 – Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain
https://notcve.org/view.php?id=CVE-2021-38509
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Debido a una secuencia inusual de eventos controlados por el atacante, un diálogo Javascript alert() con contenido arbitrario (aunque sin estilo) podría mostrarse encima de una página web no controlada de la elección del atacante. Esta vulnerabilidad afecta a Firefox versiones anteriores a 94, Thunderbird versiones anteriores a 91.3 y Firefox ESR versiones anteriores a 91.3 • https://bugzilla.mozilla.org/show_bug.cgi?id=1718571 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-48 https://www.mozilla.org/security/advisories/mfsa2021-49 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 1CVE-2021-38492
https://notcve.org/view.php?id=CVE-2021-38492
When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1. Cuando se delegaba la navegación al sistema operativo, Firefox aceptaba el esquema "mk" que podía permitir a atacantes lanzar páginas y ejecutar scripts en Internet Explorer en modo no privilegiado. • https://bugzilla.mozilla.org/show_bug.cgi?id=1721107 https://security.gentoo.org/glsa/202208-14 https://www.mozilla.org/security/advisories/mfsa2021-38 https://www.mozilla.org/security/advisories/mfsa2021-39 https://www.mozilla.org/security/advisories/mfsa2021-40 https://www.mozilla.org/security/advisories/mfsa2021-41 https://www.mozilla.org/security/advisories/mfsa2021-42 •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38495
https://notcve.org/view.php?id=CVE-2021-38495
Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 91.1 and Firefox ESR < 91.1. Los desarrolladores de Mozilla informaron de bugs de seguridad de memoria presentes en Thunderbird versión 78.13.0. Algunos de estos bugs mostraban evidencias de corrupción de memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haber sido explotados para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1723391%2C1723920%2C1724101%2C1724107 https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.mozilla.org/security/advisories/mfsa2021-40 https://www.mozilla.org/security/advisories/mfsa2021-41 • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-38496 – Mozilla: Use-after-free in MessageTask
https://notcve.org/view.php?id=CVE-2021-38496
During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.15, Thunderbird < 91.2, Firefox ESR < 91.2, Firefox ESR < 78.15, and Firefox < 93. Durante las operaciones en MessageTasks, una tarea puede haber sido eliminada mientras todavía estaba programada, resultando en una corrupción de memoria y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 78.15, Thunderbird versiones anteriores a 91.2, Firefox ESR versiones anteriores a 91.2, Firefox ESR versiones anteriores a 78.15 y Firefox versiones anteriores a 93 • https://bugzilla.mozilla.org/show_bug.cgi?id=1725335 https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-43 https://www.mozilla.org/security/advisories/mfsa2021-44 https://www.mozilla.org/security/advisories/mfsa2021-45 https://www.mozilla.org/security/advisories/mfsa2021-46 https://www.mozilla.org/security/advisories/mfsa2021-47 https://access.redhat.com/security/cve/CVE • CWE-416: Use After Free •