Mozilla Firefox vulnerabilities

CVE-2021-29953 [MEDIUM] CWE-79 CVE-2021-29953: A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allo

CVE-2021-29962 [MEDIUM] CWE-404 CVE-2021-29962: Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. Firefox for Android would become unstable and hard-to-recover when a website opened too many popups. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 89.

CVE-2021-23996 [MEDIUM] CVE-2021-23996: By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the web By utilizing 3D CSS in conjunction with Javascript, content could have been rendered outside the webpage's viewport, resulting in a spoofing attack that could have been used for phishing or other attacks on a user. This vulnerability affects Firefox < 88.

CVE-2021-24000 [LOW] CWE-362 CVE-2021-24000: A race condition with requestPointerLock() and setTimeout() could have resulted in a user interactin A race condition with requestPointerLock() and setTimeout() could have resulted in a user interacting with one tab when they believed they were on a separate tab. In conjunction with certain elements (such as ) this could have led to an attack where a user was confused about the origin of the webpage and potentially disclosed information they did not i

CVE-2021-30547 [HIGH] CWE-787 CVE-2021-30547: Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to po Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

CVE-2011-3656 [MEDIUM] CWE-79 CVE-2011-3656: Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7 allows r Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7 allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP 0.9 errors, non-default ports, and content-sniffing.

CVE-2021-23987 [HIGH] CWE-787 CVE-2021-23987: Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firef Mozilla developers and community members reported memory safety bugs present in Firefox 86 and Firefox ESR 78.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.

CVE-2021-23981 [HIGH] CWE-787 CVE-2021-23981: A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buf A texture upload of a Pixel Buffer Object could have confused the WebGL code to skip binding the buffer used to unpack it, resulting in memory corruption and a potentially exploitable information leak or crash. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

CVE-2021-23988 [HIGH] CWE-787 CVE-2021-23988: Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evid Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87.

CVE-2021-23982 [MEDIUM] CWE-326 CVE-2021-23982: Using techniques that built on the slipstream research, a malicious webpage could have scanned both Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

CVE-2021-23983 [MEDIUM] CWE-787 CVE-2021-23983: By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker co By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 87.

CVE-2021-23985 [MEDIUM] CVE-2021-23985: If an attacker is able to alter specific about:config values (for example malware running on the use If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unnoticable to the user. This would have allowed a remote attacker (able to make a direct network connection to the victim) to monitor the user's browsing activity

CVE-2021-23986 [MEDIUM] CWE-346 CVE-2021-23986: A malicious extension with the 'search' permission could have installed a new search engine whose fa A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was

CVE-2021-23984 [MEDIUM] CWE-290 CVE-2021-23984: A malicious extension could have opened a popup window lacking an address bar. The title of the popu A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, a

CVE-2021-23961 [HIGH] CVE-2021-23961: Further techniques that built on the slipstream research combined with a malicious webpage could hav Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 85.

CVE-2021-23964 [HIGH] CWE-787 CVE-2021-23964: Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of t Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

CVE-2021-23954 [HIGH] CWE-843 CVE-2021-23954: Using the new logical assignment operators in a JavaScript switch statement could have caused a type Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.

CVE-2021-23957 [HIGH] CVE-2021-23957: Navigations through the Android-specific `intent` URL scheme could have been misused to escape ifram Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85.

CVE-2021-23972 [HIGH] CVE-2021-23972: One phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://www.phishin One phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://[email protected]'. To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. This vulnerability affects Firefox < 86.

CVE-2021-23978 [HIGH] CWE-787 CVE-2021-23978: Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of t Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.