CVE-2021-38492 — Inclusion of Functionality from Untrusted Control Sphere in Mozilla Firefox
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 38.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 3
Latest updateMay 24
Description
When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scripts in Internet Explorer in unprivileged mode. *This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 92, Thunderbird < 91.1, Thunderbird < 78.14, Firefox ESR < 78.14, and Firefox ESR < 91.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages6 packages
🔴Vulnerability Details
3GHSA▶
GHSA-qq3m-5g62-2hhj: When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scri↗2022-05-24
OSV▶
CVE-2021-38492: When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scri↗2021-11-03
CVEList▶
CVE-2021-38492: When delegating navigations to the operating system, Firefox would accept the `mk` scheme which might allow attackers to launch pages and execute scri↗2021-11-03
📋Vendor Advisories
7Debian▶
CVE-2021-38492: firefox - When delegating navigations to the operating system, Firefox would accept the `m...↗2021