CVE-2021-23998 – Mozilla: Secure Lock icon could have been spoofed
https://notcve.org/view.php?id=CVE-2021-23998
Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Mediante navegaciones complicadas con nuevas ventanas, una página HTTP podría haber heredado un icono de bloqueo seguro de una página HTTPS. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1667456 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23998 https://bugzilla.redhat.com/show_bug.cgi?id=1951366 • CWE-281: Improper Preservation of Permissions CWE-345: Insufficient Verification of Data Authenticity •
CVE-2021-23999 – Mozilla: Blob URLs may have been granted additional privileges
https://notcve.org/view.php?id=CVE-2021-23999
If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Si una URL Blob se cargó mediante alguna interacción inusual del usuario, podría haber sido cargada por el Principal del Sistema y conceder privilegios adicionales que no deberían concederse al contenido web. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1691153 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23999 https://bugzilla.redhat.com/show_bug.cgi?id=1951368 • CWE-269: Improper Privilege Management CWE-281: Improper Preservation of Permissions CWE-697: Incorrect Comparison •
CVE-2021-29945 – Mozilla: Incorrect size computation in WebAssembly JIT could lead to null-reads
https://notcve.org/view.php?id=CVE-2021-29945
The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. El JIT de WebAssembly podía calcular mal el tamaño de un tipo de retorno, lo que podía conllevar a una lectura nula y resultar en un bloqueo. • https://bugzilla.mozilla.org/show_bug.cgi?id=1700690 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-29945 https://bugzilla.redhat.com/show_bug.cgi?id=1951370 • CWE-476: NULL Pointer Dereference CWE-682: Incorrect Calculation •
CVE-2021-23994 – Mozilla: Out of bound write due to lazy initialization
https://notcve.org/view.php?id=CVE-2021-23994
A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bound write. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Un framebuffer de WebGL no se inicializaba con suficiente antelación, resultando en una corrupción de memoria y una escritura fuera de límites. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 78.10, Thunderbird versiones anteriores a 78.10 y Firefox versiones anteriores a 88 • https://bugzilla.mozilla.org/show_bug.cgi?id=1699077 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23994 https://bugzilla.redhat.com/show_bug.cgi?id=1951364 • CWE-787: Out-of-bounds Write CWE-909: Missing Initialization of Resource •
CVE-2021-23995 – Mozilla: Use-after-free in Responsive Design Mode
https://notcve.org/view.php?id=CVE-2021-23995
When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. Cuando se habilitó el Modo de Diseño Responsivo, se usaron referencias a objetos que fueron liberados previamente. Presumimos que con suficiente esfuerzo esto podría haber sido explotado para ejecutar código arbitrario. • https://bugzilla.mozilla.org/show_bug.cgi?id=1699835 https://www.mozilla.org/security/advisories/mfsa2021-14 https://www.mozilla.org/security/advisories/mfsa2021-15 https://www.mozilla.org/security/advisories/mfsa2021-16 https://access.redhat.com/security/cve/CVE-2021-23995 https://bugzilla.redhat.com/show_bug.cgi?id=1951365 • CWE-416: Use After Free CWE-672: Operation on a Resource after Expiration or Release •