Multiple vulnerabilities in Mozilla Firefox and Firefox ESR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2021-43534 CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510 CVE-2021-43535 |
| CWE-ID | CWE-254 CWE-200 CWE-20 CWE-119 CWE-416 CWE-357 CWE-1021 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU57885
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the way the post-redirect URL of the element is handled. When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 92.0 - 93.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:92.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:92.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:93.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU57886
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect implementation of the 'Copy Image Link' context menu action, which copies the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 92.0 - 93.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:92.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:92.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:93.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU57887
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of URL when parsing internationalized domain names. High bits of the characters in the URLs are sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 92.0 - 93.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:92.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:92.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:93.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU57888
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43534
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:91.2.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security features bypass
EUVDB-ID: #VU57876
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-38503
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the iframe sandbox rules were not correctly applied to XSLT stylesheets. A remote attacker can load use an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU57878
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-38504
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when interacting with an HTML input element's file picker dialog with webkitdirectory set. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU57879
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38505
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to absence of support for a new feature in Windows 10 known as Cloud Clipboard that, if enabled, will record data copied to the clipboard to the
cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats, which were not implemented in previous versions of Firefox and Firefox ESR.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU57880
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-38506
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to Firefox could have entered fullscreen mode without notification or warning to the user. A remote attacker can perform spoofing attacks on the browser UI.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security features bypass
EUVDB-ID: #VU57881
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38507
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining
the visual properties of an HTTP connection, including being
same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port
8443) did not opt-in to opportunistic encryption; a network attacker
could forward a connection from the browser from port 443 to port 8443,
causing the browser to treat the content of port 8443 as same-origin
with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU57882
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38508
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to Firefox displays the form validity message in the correct location at the same time as a permission prompt (such as for geolocation). The validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU57883
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38509
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of an unusual sequence of attacker-controlled events. A remote attacker can display a Javascript alert() dialog with arbitrary (although unstyled) contents over top of arbitrary webpage of the attacker's choosing.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU57884
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38510
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to silently download dangerous files on the system.
The vulnerability exists due to the executable file warning is not presented to the user when downloading .inetloc files. A remote attacker can silently download a potentially dangerous file to the user's system.
The vulnerability affects macOS operating system only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 80.0 - 93.0
Firefox ESR: 91.0 - 91.2.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:80.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:80.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:81.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU57889
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43535
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTTP/2 session object. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 91.0 - 91.2.0
CPE2.3https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
