CVE-2021-23984 — Authentication Bypass by Spoofing in Mozilla Firefox

CWE-290 — Authentication Bypass by Spoofing CWE-1021 — UI Misrepresentation / Clickjacking15 documents8 sources

Severity

6.5MEDIUMNVD

OSV8.1OSV7.4

EPSS

0.2%

top 56.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedMar 31

Latest updateMay 24

Description

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶CVEListV5mozilla/firefoxunspecified — 87

▶NVDmozilla/firefox< 87.0

▶CVEListV5mozilla/firefox_esrunspecified — 78.9

▶NVDmozilla/firefox_esr< 78.9

▶Ubuntumozilla/firefox< 87.0+build3-0ubuntu0.16.04.2+2

🔴Vulnerability Details

GHSA

GHSA-5cpw-36f2-hgw7: A malicious extension could have opened a popup window lacking an address bar↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2021-06-25

▶

OSV

thunderbird vulnerabilities↗2021-06-22

▶

OSV

CVE-2021-23984: A malicious extension could have opened a popup window lacking an address bar↗2021-03-31

▶

CVEList

CVE-2021-23984: A malicious extension could have opened a popup window lacking an address bar↗2021-03-31

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2021-06-25

▶

Ubuntu

Thunderbird vulnerabilities↗2021-06-22

▶

Ubuntu

Firefox vulnerabilities↗2021-03-25

▶

Red Hat

Mozilla: Malicious extensions could have spoofed popup information↗2021-03-23

▶

Debian

CVE-2021-23984: firefox - A malicious extension could have opened a popup window lacking an address bar. T...↗2021

▶