Vulnerability CVE-2021-23984

Vulnerability Name:

CVE-2021-23984 (CCN-198597)

Assigned:

2021-03-23

Published:

2021-03-23

Updated:

2021-08-06

Summary:

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-290
CWE-1021

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-23984

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1693664

Source: XF
Type: UNKNOWN
firefox-cve202123984-spoofing(198597)

Source: CCN
Type: IBM Security Bulletin 6447457 (Application Performance Management)
Multiple vulnerabilities of Mozilla Firefox (less than Firefox 78.9.0 ESR + CVE-2021-23987) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF13 + ICAM2019.3.0 - 2020.2.0

Source: CCN
Type: IBM Security Bulletin 6454029 (Cloud Pak for Multicloud Management)
Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-10
Security Vulnerabilities fixed in Firefox 87

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-11
Security Vulnerabilities fixed in Firefox ESR 78.9

Source: CCN
Type: Mozilla Foundation Security Advisory 2021-12
Security Vulnerabilities fixed in Thunderbird 78.9

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-10/

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-11/

Source: MISC
Type: Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-12/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-23984

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 87.0)

OR cpe:/a:mozilla:firefox_esr:*:*:*:*:*:*:*:* (Version < 78.9)

OR cpe:/a:mozilla:thunderbird:*:*:*:*:*:*:*:* (Version < 78.9)

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7868	P	MozillaFirefox-102.11.0-150200.152.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:645	P	Security update for php7 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:3367	P	spice-vdagent-0.16.0-8.5.15 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3252	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3546	P	libICE6-1.0.8-12.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94882	P	MozillaFirefox-91.8.0-150200.152.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95176	P	MozillaThunderbird-91.8.0-150200.8.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94833	P	sssd-common-32bit-1.16.1-150300.23.26.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95178	P	NetworkManager-devel-1.32.12-150400.1.11 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:101891	P	Security update for the Linux Kernel (Important)	2022-04-13
oval:org.opensuse.security:def:94479	P	(Important)	2022-03-04
oval:org.opensuse.security:def:111899	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111905	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:101546	P	Security update for python-Pygments (Important)	2021-12-01
oval:org.opensuse.security:def:99431	P	(Important)	2021-11-10
oval:org.opensuse.security:def:1639	P	Security update for squid (Moderate)	2021-10-20
oval:org.opensuse.security:def:105476	P	MozillaFirefox-92.0-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105478	P	MozillaThunderbird-91.1.1-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96784	P	tar-1.30-3.3.2 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:101134	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101192	P	libgxps-devel-0.3.0-4.3.29 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62728	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72447	P	MozillaFirefox-78.10.0-8.38.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:99630	P	(Important)	2021-04-28
oval:org.opensuse.security:def:111330	P	Security update for MozillaThunderbird (Important)	2021-04-19
oval:org.opensuse.security:def:96296	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:10634	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:96841	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:109634	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:70774	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:119774	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:102968	P	Security update for MozillaThunderbird (Important)	2021-04-13
oval:org.opensuse.security:def:44377	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93185	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:10232	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:91892	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:8555	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:66719	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:42057	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:39947	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:92680	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:99929	P	(Important)	2021-04-01
oval:org.opensuse.security:def:9482	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:70194	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:117373	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93944	P	(Important)	2021-04-01
oval:org.opensuse.security:def:45586	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:108557	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:92087	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:8731	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:69440	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:98842	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93403	P	(Important)	2021-04-01
oval:org.opensuse.security:def:41156	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:75787	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:92879	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:100264	P	(Important)	2021-04-01
oval:org.opensuse.security:def:9681	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:70372	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:64456	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:94155	P	(Important)	2021-04-01
oval:org.opensuse.security:def:92282	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:8926	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:69622	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:99037	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93560	P	(Important)	2021-04-01
oval:org.opensuse.security:def:43087	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93032	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:100594	P	(Important)	2021-04-01
oval:org.opensuse.security:def:107858	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:10054	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:99935	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:5630	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:94367	P	(Important)	2021-04-01
oval:org.opensuse.security:def:38657	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:73578	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:92481	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:9300	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:69821	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:99232	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:93729	P	(Important)	2021-04-01
oval:org.opensuse.security:def:23204	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:89526	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:125678	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:33790	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:58930	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:85833	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:28964	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:52033	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:88271	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:31749	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:57192	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:83259	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:23773	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:126844	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:34048	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:59613	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:86213	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:29491	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:54787	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:81126	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:88588	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:32285	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:57572	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:84289	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:24045	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:51192	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:127241	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:34669	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:59871	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:86749	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:5203	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:30052	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:55314	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:82171	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:21432	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:89268	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:33107	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:58108	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:84747	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:26216	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:51761	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:60492	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:87571	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:5991	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:31369	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:55875	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:82698	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:111296	P	Security update for MozillaFirefox (Important)	2021-03-30
oval:org.opensuse.security:def:108212	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:org.opensuse.security:def:74345	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:org.opensuse.security:def:4188	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:org.opensuse.security:def:117726	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:org.opensuse.security:def:97351	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:org.opensuse.security:def:65277	P	Security update for MozillaFirefox (Important)	2021-03-29
oval:com.redhat.rhsa:def:20210990	P	RHSA-2021:0990: firefox security update (Important)	2021-03-25
oval:com.redhat.rhsa:def:20210992	P	RHSA-2021:0992: firefox security update (Important)	2021-03-25
oval:com.redhat.rhsa:def:20210993	P	RHSA-2021:0993: thunderbird security update (Important)	2021-03-25
oval:com.redhat.rhsa:def:20210996	P	RHSA-2021:0996: thunderbird security update (Important)	2021-03-25

BACK