CVE-2021-43532
published 2021-12-08CVE-2021-43532: The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.53%
40.8th percentile
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 94.0-1 (sid) | firefox 94.0-1 (sid) |
| mozilla | firefox | < 94.0 | 94.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 94.0+build3-0ubuntu0.18.04.1 | 94.0+build3-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 94.0+build3-0ubuntu0.20.04.1 | 94.0+build3-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 0 < 94.0+build3-0ubuntu1 | 94.0+build3-0ubuntu1 |
| mozilla | firefox | >= unspecified < 94 | 94 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5xq-hf4g-4cgq: The 'Copy Image Link' context menu action would copy the final image URL after redirects
ghsa_unreviewed·2021-12-09
CVE-2021-43532 [MEDIUM] CWE-601 GHSA-x5xq-hf4g-4cgq: The 'Copy Image Link' context menu action would copy the final image URL after redirects
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.
GHSA
GHSA-r6p5-8pxg-2vcp: When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked
ghsa_unreviewed·2021-12-09·CVSS 6.1
CVE-2021-43531 [MEDIUM] CWE-346 GHSA-r6p5-8pxg-2vcp: When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked
When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.
OSV
CVE-2021-43531: When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked
osv·2021-12-08·CVSS 4.3
CVE-2021-43531 [MEDIUM] CVE-2021-43531: When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked
When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.
OSV
CVE-2021-43532: The 'Copy Image Link' context menu action would copy the final image URL after redirects
osv·2021-12-08·CVSS 6.1
CVE-2021-43532 [MEDIUM] CVE-2021-43532: The 'Copy Image Link' context menu action would copy the final image URL after redirects
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.
Debian
CVE-2021-43532: firefox - The 'Copy Image Link' context menu action would copy the final image URL after r...
vendor_debian·2021·CVSS 6.1
CVE-2021-43532 [MEDIUM] CVE-2021-43532: firefox - The 'Copy Image Link' context menu action would copy the final image URL after r...
The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.
Scope: local
sid: resolved (fixed in 94.0-1)
Debian
CVE-2021-43531: firefox - When a user loaded a Web Extensions context menu, the Web Extension could access...
vendor_debian·2021·CVSS 4.3
CVE-2021-43531 [MEDIUM] CVE-2021-43531: firefox - When a user loaded a Web Extensions context menu, the Web Extension could access...
When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.
Scope: local
sid: resolved (fixed in 94.0-1)
Mozilla
Mozilla Foundation Security Advisory 2021-48: CVE-2021-43532
vendor_mozilla·CVSS 6.1
CVE-2021-43532 [MEDIUM] Mozilla Foundation Security Advisory 2021-48: CVE-2021-43532
Mozilla Foundation Security Advisory 2021-48
CVE: CVE-2021-43532
Product: Firefox
Impact: high
Fixed in: Firefox 94
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-12-08
Published