CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43540
https://notcve.org/view.php?id=CVE-2021-43540
WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects Firefox < 95. Las WebExtensions con los permisos correctos podían crear e instalar ServiceWorkers para sitios web de terceros que no habrían desinstalado con la extensión. Esta vulnerabilidad afecta a Firefox versiones anteriores a 95 • https://bugzilla.mozilla.org/show_bug.cgi?id=1636629 https://security.gentoo.org/glsa/202202-03 https://www.mozilla.org/security/advisories/mfsa2021-52 •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43544
https://notcve.org/view.php?id=CVE-2021-43544
When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to XSS and spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 95. Cuando se recibía una URL mediante una intención de SEND, Firefox habría buscado el texto, pero los usos posteriores de la barra de direcciones podrían haber causado que la URL se cargara involuntariamente, lo que podría conllevar a ataques de tipo XSS y de suplantación de identidad. • https://bugzilla.mozilla.org/show_bug.cgi?id=1739934 https://www.mozilla.org/security/advisories/mfsa2021-52 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2021-43536 – Mozilla: URL leakage when navigating while executing asynchronous function
https://notcve.org/view.php?id=CVE-2021-43536
Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. En determinadas circunstancias, las funciones asíncronas podrían haber causado el fallo de una navegación pero exponiendo la URL de destino. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95 The Mozilla Foundation Security Advisory describes this flaw as: Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL. • https://bugzilla.mozilla.org/show_bug.cgi?id=1730120 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43537 – Mozilla: Heap buffer overflow when using structured clone
https://notcve.org/view.php?id=CVE-2021-43537
An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Una conversión de tipo incorrecta de los tamaños de enteros de 64 bits a 32 bits permitía a un atacante corromper la memoria, conllevando a un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0, y Firefox versiones anteriores a 95 The Mozilla Foundation Security Advisory describes this flaw as: An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash. • https://bugzilla.mozilla.org/show_bug.cgi?id=1738237 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43545 – Mozilla: Denial of Service when using the Location API in a loop
https://notcve.org/view.php?id=CVE-2021-43545
Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. El uso de la API de localización en un bucle podría haber causado graves cuelgues y bloqueos de la aplicación. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95 • https://bugzilla.mozilla.org/show_bug.cgi?id=1720926 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-834: Excessive Iteration CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •