CVE-2021-38509
Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
Debido a una secuencia inusual de eventos controlados por el atacante, un diálogo Javascript alert() con contenido arbitrario (aunque sin estilo) podría mostrarse encima de una página web no controlada de la elección del atacante. Esta vulnerabilidad afecta a Firefox versiones anteriores a 94, Thunderbird versiones anteriores a 91.3 y Firefox ESR versiones anteriores a 91.3
Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, trick a user into accepting unwanted permissions, conduct header splitting attacks, conduct spoofing attacks, bypass security restrictions, confuse the user, or execute arbitrary code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-10 CVE Reserved
- 2021-11-03 CVE Published
- 2024-08-04 CVE Updated
- 2025-04-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202202-03 | 2022-12-09 | |
| https://security.gentoo.org/glsa/202208-14 | 2022-12-09 | |
| https://www.debian.org/security/2021/dsa-5026 | 2022-12-09 | |
| https://www.debian.org/security/2022/dsa-5034 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-48 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-49 | 2022-12-09 | |
| https://www.mozilla.org/security/advisories/mfsa2021-50 | 2022-12-09 | |
| https://access.redhat.com/security/cve/CVE-2021-38509 | 2021-11-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2019628 | 2021-11-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | < 94.0 Search vendor "Mozilla" for product "Firefox" and version " < 94.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | < 91.3.0 Search vendor "Mozilla" for product "Firefox Esr" and version " < 91.3.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Thunderbird Search vendor "Mozilla" for product "Thunderbird" | < 91.3.0 Search vendor "Mozilla" for product "Thunderbird" and version " < 91.3.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||