Rewterz Threat Advisory – CVE-2021-21267 – Node.js schema-inspector module denial of service
March 22, 2021Rewterz Threat Alert – Social Engineering Attacks on the Rise
March 24, 2021Rewterz Threat Advisory – CVE-2021-21267 – Node.js schema-inspector module denial of service
March 22, 2021Rewterz Threat Alert – Social Engineering Attacks on the Rise
March 24, 2021Severity
High
Analysis Summary
CVE-2021-23988
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2021-23986
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the installation of a new search engine whose favicon referenced a cross-origin URL by a malicious extension with the ‘search’ permission. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass a same-origin policy and obtain limited local-network resources.
CVE-2021-23985
Mozilla Firefox could allow a remote authenticated attacker to bypass security restrictions, caused by the enablement of the Devtools remote bugging feature. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to monitor the user’s browsing activity and (plaintext) network traffic.
CVE-2021-23984
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by a malicious extension opening a popup window. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the Web site and attempt to trick the user into providing credentials.
CVE-2021-23983
Mozilla Firefox is vulnerable to a denial of service, caused by an error when applying transitions for invalid marker properties. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to corrupt memory and cause the browser to crash.
CVE-2021-23982
Mozilla Firefox could provide weaker than expected security when using techniques that built on the slipstream research. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to probe internal network hosts.
CVE-2021-23987
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Arbitrary code execution
- Denial of service
- Bypass Security
Affected Vendors
Mozilla
Affected Products
Mozilla Firefox 86
Remediation
Refer to Mozilla Foundation Security Advisory 2021-10 for patch, upgrade or suggested workaround information.