CVE-2021-23998Insufficient Verification of Data Authenticity in Mozilla Firefox

CWE-345Insufficient Verification of Data AuthenticityCWE-281Improper Preservation of Permissions15 documents8 sources
Severity
6.5MEDIUMNVD
OSV8.8OSV7.4
EPSS
0.2%
top 62.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedJun 24
Latest updateMay 24

Description

Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified88
NVDmozilla/firefox< 88.0
CVEListV5mozilla/firefox_esrunspecified78.10
NVDmozilla/firefox_esr< 78.10
Ubuntumozilla/firefox< 88.0+build2-0ubuntu0.16.04.1+2

🔴Vulnerability Details

6
GHSA
GHSA-5pc3-x247-jxch: Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page2022-05-24
OSV
thunderbird vulnerabilities2021-06-25
CVEList
CVE-2021-23998: Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page2021-06-24
OSV
CVE-2021-23998: Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page2021-06-24
OSV
thunderbird vulnerabilities2021-06-22

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2021-06-25
Ubuntu
Thunderbird vulnerabilities2021-06-22
Ubuntu
Firefox vulnerabilities2021-04-26
Red Hat
Mozilla: Secure Lock icon could have been spoofed2021-04-19
Debian
CVE-2021-23998: firefox - Through complicated navigations with new windows, an HTTP page could have inheri...2021
CVE-2021-23998 — Mozilla Firefox vulnerability | cvebase