CVE-2021-23984

A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1693664	Issue Tracking Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-10/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-11/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2021-12/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox_esr::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

06 Aug 2021, 18:18

Type	Values Removed	Values Added
References	~~{'url': 'https://security.gentoo.org/glsa/202104-10', 'name': 'GLSA-202104-10', 'tags': ['Third Party Advisory'], 'refsource': 'GENTOO'}~~ ~~{'url': 'https://security.gentoo.org/glsa/202104-09', 'name': 'GLSA-202104-09', 'tags': ['Third Party Advisory'], 'refsource': 'GENTOO'}~~

24 Jun 2021, 14:15

Type	Values Removed	Values Added
Summary	A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Thunderbird < 78.9, and Firefox < 87.	A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials. This vulnerability affects Firefox ESR < 78.9, Firefox < 87, and Thunderbird < 78.9.

04 Jun 2021, 18:57

Type	Values Removed	Values Added
References	~~(GENTOO) https://security.gentoo.org/glsa/202104-10 -~~	(GENTOO) https://security.gentoo.org/glsa/202104-10 - Third Party Advisory
References	~~(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 - Issue Tracking~~	(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 - Issue Tracking, Vendor Advisory
References	~~(GENTOO) https://security.gentoo.org/glsa/202104-09 -~~	(GENTOO) https://security.gentoo.org/glsa/202104-09 - Third Party Advisory

01 May 2021, 02:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202104-09 - (GENTOO) https://security.gentoo.org/glsa/202104-10 -

05 Apr 2021, 14:39

Type	Values Removed	Values Added
References	~~(MISC) https://www.mozilla.org/security/advisories/mfsa2021-10/ -~~	(MISC) https://www.mozilla.org/security/advisories/mfsa2021-10/ - Vendor Advisory
References	~~(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 -~~	(MISC) https://bugzilla.mozilla.org/show_bug.cgi?id=1693664 - Issue Tracking
References	~~(MISC) https://www.mozilla.org/security/advisories/mfsa2021-11/ -~~	(MISC) https://www.mozilla.org/security/advisories/mfsa2021-11/ - Vendor Advisory
References	~~(MISC) https://www.mozilla.org/security/advisories/mfsa2021-12/ -~~	(MISC) https://www.mozilla.org/security/advisories/mfsa2021-12/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.3 v3 : 6.5
CWE		CWE-290
CPE		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:firefox_esr:::::::: cpe:2.3:a:mozilla:thunderbird::::::::

31 Mar 2021, 14:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-03-31 14:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-23984

Mitre link : CVE-2021-23984

CVE.ORG link : CVE-2021-23984

JSON object : View

Products Affected

mozilla

thunderbird
firefox
firefox_esr

CWE

CWE-290

Authentication Bypass by Spoofing

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-23984

6.5^/10

4.3^/10

Attach tags to `CVE-2021-23984`