CVE-2021-23956 — Mozilla Firefox vulnerability

7 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 60.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedFeb 26

Latest updateMay 24

Description

An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory. This was addressed by adding a new prompt. This vulnerability affects Firefox < 85.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 85.0-1 (sid)

▶CVEListV5mozilla/firefox< 85

▶NVDmozilla/firefox< 85.0

▶Ubuntumozilla/firefox< 85.0+build1-0ubuntu0.16.04.1+2

▶mozillamozilla/firefox

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-vjq2-3fhj-f82c: An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory↗2022-05-24

▶

OSV

CVE-2021-23956: An ambiguous file picker design could have confused users who intended to select and upload a single file into uploading a whole directory↗2021-01-26

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2021-02-01

▶

Debian

CVE-2021-23956: firefox - An ambiguous file picker design could have confused users who intended to select...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-03: CVE-2021-23956↗

▶