CVE-2021-23976

Gentoo Linux Security Advisory 202104-10

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.

Cuando se acepta una intención maliciosa de otras aplicaciones instaladas, Firefox para Android aceptó manifiestos de rutas de archivos arbitrarias y permitió declarar manifiestos de aplicaciones web para otros orígenes. Esto podría usarse para conseguir acceso a pantalla completa para la suplantación de la interfaz de usuario y también podría conllevar a ataques de origen cruzado en sitios web específicos. Nota: Este problema es diferente de CVE-2020-26954 y solo afecta a Firefox para Android. Otros sistemas operativos no están afectados. Esta vulnerabilidad afecta a Firefox versiones anteriores a 86

Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. Versions less than 88.0 are affected.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-13 CVE Reserved
2021-02-26 CVE Published
2024-08-03 CVE Updated
2024-12-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/202104-10	2022-05-27
https://www.mozilla.org/security/advisories/mfsa2021-07	2022-05-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				< 86.0 Search vendor "Mozilla" for product "Firefox" and version " < 86.0"		android		Affected