CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43538 – Mozilla: Missing fullscreen and pointer lock notification when requesting both
https://notcve.org/view.php?id=CVE-2021-43538
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Mediante el uso indebido de una carrera en nuestro código de notificación, un atacante podría haber ocultado a la fuerza la notificación de las páginas que habían recibido acceso a pantalla completa y bloqueo de puntero, lo que podría haber sido usado para ataques de suplantación de identidad. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95 The Mozilla Foundation Security Advisory describes this flaw as: By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks. • https://bugzilla.mozilla.org/show_bug.cgi?id=1739091 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 6.5EPSS: 1%CPEs: 6EXPL: 0CVE-2021-43542 – Mozilla: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
https://notcve.org/view.php?id=CVE-2021-43542
Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Usando XMLHttpRequest, un atacante podría haber identificado aplicaciones instaladas sondeando los mensajes de error para cargar protocolos externos. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95 • https://bugzilla.mozilla.org/show_bug.cgi?id=1723281 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43539 – Mozilla: GC rooting failure when calling wasm instance methods
https://notcve.org/view.php?id=CVE-2021-43539
Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Un fallo en el registro correcto de la ubicación de los punteros vivos a través de las llamadas a instancias de wasm daba lugar a que una GC que ocurría dentro de la llamada no rastreara esos punteros vivos. Esto podría haber conllevado a un uso de memoria previamente liberada causando un bloqueo potencialmente explotable. • https://bugzilla.mozilla.org/show_bug.cgi?id=1739683 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43543 – Mozilla: Bypass of CSP sandbox directive when embedding
https://notcve.org/view.php?id=CVE-2021-43543
Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. Los documentos cargados con la directiva CSP sandbox podrían escapar de la restricción de scripts del sandbox al insertar contenido adicional. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a 91.4.0, Firefox ESR versiones anteriores a 91.4.0 y Firefox versiones anteriores a 95 • https://bugzilla.mozilla.org/show_bug.cgi?id=1738418 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38503 – Mozilla: iframe sandbox rules did not apply to XSLT stylesheets
https://notcve.org/view.php?id=CVE-2021-38503
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. Las reglas del sandbox de iframe no se aplicaban correctamente a las hojas de estilo XSLT, permitiendo a un iframe omitir restricciones como la ejecución de scripts o la navegación por el marco de nivel superior. Esta vulnerabilidad afecta a Firefox versiones anteriores a 94, Thunderbird versiones anteriores a 91.3 y Firefox ESR versiones anteriores a 91.3 The Mozilla Foundation Security Advisory describes this flaw as: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. • https://bugzilla.mozilla.org/show_bug.cgi?id=1729517 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-48 https://www.mozilla.org/security/advisories/mfsa2021-49 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-863: Incorrect Authorization •