CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23992 – Mozilla: A crafted OpenPGP key with an invalid user ID could be used to confuse the user
https://notcve.org/view.php?id=CVE-2021-23992
Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. This vulnerability affects Thunderbird < 78.9.1. Thunderbird no comprueba si el ID de usuario asociado a una clave OpenPGP presenta una autofirma válida. • https://bugzilla.mozilla.org/show_bug.cgi?id=1666236 https://www.mozilla.org/security/advisories/mfsa2021-13 https://access.redhat.com/security/cve/CVE-2021-23992 https://bugzilla.redhat.com/show_bug.cgi?id=1948394 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23993 – Mozilla: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key
https://notcve.org/view.php?id=CVE-2021-23993
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1. Un atacante puede llevar a cabo un ataque DoS para impedir a un usuario de enviar un correo electrónico cifrado a un corresponsal. Si un atacante crea una clave OpenPGP diseñada con una subclave que presenta una autofirma no válida, y el usuario de Thunderbird importa la clave diseñada, entonces Thunderbird puede intentar usar la subclave no válida, pero la biblioteca RNP lo rechaza para ser usado, causando que el cifrado presente un fallo. • https://bugzilla.mozilla.org/show_bug.cgi?id=1666360 https://www.mozilla.org/security/advisories/mfsa2021-13 https://access.redhat.com/security/cve/CVE-2021-23993 https://bugzilla.redhat.com/show_bug.cgi?id=1948395 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23981 – Mozilla: Texture upload into an unbound backing buffer resulted in an out-of-bound read
https://notcve.org/view.php?id=CVE-2021-23981
A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. Una carga de textura de un Objeto de Búfer de Píxeles podría haber confundido el código WebGL para omitir el enlace del búfer usado para descomprimirlo, resultando en la corrupción de la memoria y una filtración o bloqueo de información potencialmente explotable. Esta vulnerabilidad afecta a Firefox ESR versión 78.9, Firefox versiones anteriores a 87, and Thunderbird versiones anteriores a 78.9. The Mozilla Foundation Security Advisory describes this issue as: A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1692832 https://www.mozilla.org/security/advisories/mfsa2021-10 https://www.mozilla.org/security/advisories/mfsa2021-11 https://www.mozilla.org/security/advisories/mfsa2021-12 https://access.redhat.com/security/cve/CVE-2021-23981 https://bugzilla.redhat.com/show_bug.cgi?id=1942783 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23982 – Mozilla: Internal network hosts could have been probed by a malicious webpage
https://notcve.org/view.php?id=CVE-2021-23982
Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. Usando técnicas que se basaron en la investigación de slipstream, una página web maliciosa podría haber escaneado tanto los hosts de una red interna como los servicios que se ejecutan en la máquina local del usuario usando conexiones WebRTC. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.9, Firefox versiones anteriores a 87, y Thunderbird versiones anteriores a 78.9 • https://bugzilla.mozilla.org/show_bug.cgi?id=1677046 https://www.mozilla.org/security/advisories/mfsa2021-10 https://www.mozilla.org/security/advisories/mfsa2021-11 https://www.mozilla.org/security/advisories/mfsa2021-12 https://access.redhat.com/security/cve/CVE-2021-23982 https://bugzilla.redhat.com/show_bug.cgi?id=1942785 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-326: Inadequate Encryption Strength •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-23984 – Mozilla: Malicious extensions could have spoofed popup information
https://notcve.org/view.php?id=CVE-2021-23984
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. Una extensión maliciosa podría haber abierto una ventana emergente sin una barra de direcciones. • https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 https://www.mozilla.org/security/advisories/mfsa2021-10 https://www.mozilla.org/security/advisories/mfsa2021-11 https://www.mozilla.org/security/advisories/mfsa2021-12 https://access.redhat.com/security/cve/CVE-2021-23984 https://bugzilla.redhat.com/show_bug.cgi?id=1942786 • CWE-290: Authentication Bypass by Spoofing CWE-1021: Improper Restriction of Rendered UI Layers or Frames •