CVE-2021-29987 — Improper Restriction of Excessive Authentication Attempts in Mozilla Firefox

CWE-307 — Improper Restriction of Excessive Authentication Attempts9 documents6 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.3%

top 45.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox +1 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶debiandebian/firefox< firefox 91.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 91

▶NVDmozilla/firefox< 91.0

▶Ubuntumozilla/firefox< 91.0+build2-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-h5xx-jcpx-5hr9: After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position↗2022-05-24

▶

OSV

thunderbird vulnerabilities↗2022-01-21

▶

OSV

CVE-2021-29987: After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position↗2021-08-11

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-01-21

▶

Ubuntu

Firefox vulnerabilities↗2021-08-11

▶

Debian

CVE-2021-29987: firefox - After requesting multiple permissions, and closing the first permission panel, s...↗2021

▶

Mozilla

Mozilla Foundation Security Advisory 2021-33: CVE-2021-29987↗

▶

Mozilla

Mozilla Foundation Security Advisory 2021-36: CVE-2021-29987↗

▶