CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23995 – Mozilla: Use-after-free in Responsive Design Mode
https://notcve.org/view.php?id=CVE-2021-23995
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Cuando se habilitó el Modo de Diseño Responsivo, se usaron referencias a objetos que fueron liberados previamente. Presumimos que con suficiente esfuerzo esto podría haber sido explotado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/show_bug.cgi?id=1699835 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23995 https://bugzilla.redhat.com/show_bug.cgi?id=1951365 • CWE-416: Use After Free CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23998 – Mozilla: Secure Lock icon could have been spoofed
https://notcve.org/view.php?id=CVE-2021-23998
Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Mediante navegaciones complicadas con nuevas ventanas, una página HTTP podría haber heredado un icono de bloqueo seguro de una página HTTPS. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1667456 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23998 https://bugzilla.redhat.com/show_bug.cgi?id=1951366 • CWE-281: Improper Preservation of Permissions CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-23999 – Mozilla: Blob URLs may have been granted additional privileges
https://notcve.org/view.php?id=CVE-2021-23999
If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Si una URL Blob se cargó mediante alguna interacción inusual del usuario, podría haber sido cargada por el Principal del Sistema y conceder privilegios adicionales que no deberían concederse al contenido web. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1691153 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23999 https://bugzilla.redhat.com/show_bug.cgi?id=1951368 • CWE-269: Improper Privilege Management CWE-281: Improper Preservation of Permissions CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-24002 – Mozilla: Arbitrary FTP command execution on FTP servers using an encoded URL
https://notcve.org/view.php?id=CVE-2021-24002
When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Cuando un usuario hacía clic en una URL de FTP conteniendo caracteres de nueva línea codificados (%0A y %0D), las nuevas líneas se interpretaban como tales y permitían que comandos arbitrarios fueran enviados al servidor FTP. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1702374 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-24002 https://bugzilla.redhat.com/show_bug.cgi?id=1951369 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-23991 – Mozilla: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key
https://notcve.org/view.php?id=CVE-2021-23991
If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. This vulnerability affects Thunderbird < 78.9.1. Si un usuario de Thunderbird ha importado previamente la clave OpenPGP de Alice, y Alice ha ampliado el periodo de validez de su clave, pero la clave actualizada de Alice aún no ha sido importada, un atacante puede enviar un correo electrónico conteniendo una versión diseñada de la clave de Alice con una subclave no válida, Thunderbird podría posteriormente intentar usar la subclave no válida, y producirá un fallo al enviar el correo electrónico cifrado a Alice. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 78.9.1 • https://bugzilla.mozilla.org/show_bug.cgi?id=1673240 https://www.mozilla.org/security/advisories/mfsa2021-13 https://access.redhat.com/security/cve/CVE-2021-23991 https://bugzilla.redhat.com/show_bug.cgi?id=1948393 • CWE-347: Improper Verification of Cryptographic Signature •