CVE-2021-23974Mozilla Firefox vulnerability

6 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 58.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedFeb 26
Latest updateMay 24

Description

The DOMParser API did not properly process '' elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. This vulnerability affects Firefox < 86.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

debiandebian/firefox< firefox 86.0-1 (sid)
CVEListV5mozilla/firefox< 86
NVDmozilla/firefox< 86.0
Ubuntumozilla/firefox< 86.0+build3-0ubuntu0.16.04.1+2
mozillamozilla/firefox

🔴Vulnerability Details

2
GHSA
GHSA-xgvx-m8xh-737m: The DOMParser API did not properly process '' elements for escaping2022-05-24
OSV
CVE-2021-23974: The DOMParser API did not properly process '' elements for escaping2021-02-26

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2021-02-26
Debian
CVE-2021-23974: firefox - The DOMParser API did not properly process '<noscript>' elements for escaping. T...2021
Mozilla
Mozilla Foundation Security Advisory 2021-07: CVE-2021-23974