CVE-2021-23986Origin Validation Error in Mozilla Firefox

CWE-346Origin Validation Error7 documents6 sources
Severity
6.5MEDIUMNVD
OSV8.1
EPSS
0.1%
top 83.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedMar 31
Latest updateMay 24

Description

A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without cookies, so the sensitive information disclosed by the violation was limited to local-network resources or resources that perform IP-bas

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

debiandebian/firefox< firefox 87.0-1 (sid)
CVEListV5mozilla/firefoxunspecified87
NVDmozilla/firefox< 87.0
Ubuntumozilla/firefox< 87.0+build3-0ubuntu0.16.04.2+2
mozillamozilla/firefox

🔴Vulnerability Details

3
GHSA
GHSA-3w6j-gj2m-vh4c: A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL2022-05-24
OSV
firefox vulnerabilities2021-03-25
OSV
CVE-2021-23986: A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL2021-03-25

📋Vendor Advisories

3
Ubuntu
Firefox vulnerabilities2021-03-25
Debian
CVE-2021-23986: firefox - A malicious extension with the 'search' permission could have installed a new se...2021
Mozilla
Mozilla Foundation Security Advisory 2021-10: CVE-2021-23986