CVE-2021-23988
https://notcve.org/view.php?id=CVE-2021-23988
Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87. Los desarrolladores de Mozilla, reportaron bugs de seguridad de la memoria presentes en Firefox versión 86. Algunos de estos bugs mostraron evidencia de corrupción de la memoria y suponemos que con suficiente esfuerzo algunos de ellos podrían haber sido explotados para ejecutar código arbitrario. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1684994%2C1686653 https://www.mozilla.org/security/advisories/mfsa2021-10 • CWE-787: Out-of-bounds Write •
CVE-2021-23983
https://notcve.org/view.php?id=CVE-2021-23983
By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 87. Al causar una transición en un nodo principal mediante la eliminación de una regla CSS, se podría haber aplicado una propiedad no válida para un marcador, resultando en una corrupción de la memoria y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Firefox versiones anteriores a 87. • https://bugzilla.mozilla.org/show_bug.cgi?id=1692684 https://www.mozilla.org/security/advisories/mfsa2021-10 • CWE-787: Out-of-bounds Write •
CVE-2021-23985
https://notcve.org/view.php?id=CVE-2021-23985
If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity and (plaintext) network traffic. This was addressed by providing a visual cue when Devtools has an open network socket. This vulnerability affects Firefox < 87. Si un atacante puede ser capaz de alterar valores específicos de about:config (por ejemplo, malware que se ejecuta en la computadora del usuario), la funcionalidad de depuración remota de Devtools podría haber sido habilitada de una manera que el usuario no pudo notar. • https://bugzilla.mozilla.org/show_bug.cgi?id=1659129 https://www.mozilla.org/security/advisories/mfsa2021-10 •
CVE-2021-23986
https://notcve.org/view.php?id=CVE-2021-23986
A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-based authentication. This vulnerability affects Firefox < 87. Una extensión maliciosa con el permiso de "search" podría haber instalado un nuevo motor de búsqueda cuyo favicon hiciera referencia a una URL de origen cruzado. • https://bugzilla.mozilla.org/show_bug.cgi?id=1692623 https://www.mozilla.org/security/advisories/mfsa2021-10 • CWE-346: Origin Validation Error •
CVE-2021-23984 – Mozilla: Malicious extensions could have spoofed popup information
https://notcve.org/view.php?id=CVE-2021-23984
A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9. Una extensión maliciosa podría haber abierto una ventana emergente sin una barra de direcciones. • https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 https://www.mozilla.org/security/advisories/mfsa2021-10 https://www.mozilla.org/security/advisories/mfsa2021-11 https://www.mozilla.org/security/advisories/mfsa2021-12 https://access.redhat.com/security/cve/CVE-2021-23984 https://bugzilla.redhat.com/show_bug.cgi?id=1942786 • CWE-290: Authentication Bypass by Spoofing CWE-1021: Improper Restriction of Rendered UI Layers or Frames •