Rewterz Threat Advisory – Multiple McAfee Policy Auditor Vulnerabilities
December 9, 2021Rewterz Threat Alert – APT SideWinder Group – IOCs
December 9, 2021Severity
Medium
Analysis Summary
CVE-2021-43538
Mozilla Thunderbird could allow a remote attacker to conduct spoofing attacks, caused by missing fullscreen and pointer lock notification when requesting both. By misusing a race in our notification code, an attacker could exploit this vulnerability to spoof notification.
CVE-2021-43528
Mozilla Thunderbird could allow a remote attacker to bypass security restrictions, caused by the unexpected enablement of JavaScript in the composition area. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to launch further attacks on the system.
CVE-2021-43546
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when a native cursor is zoomed. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to conduct a cursor spoofing attack.
CVE-2021-43545
Mozilla Firefox is vulnerable to a denial of service, caused by an error when using the Location API in a loop. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVE-2021-43544
Mozilla Firefox for Android is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when receiving a URL through a SEND intent. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2021-43543
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the bypass of CSP sandbox directive when embedding By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow documents loaded with the CSP sandbox directive to escape.
CVE-2021-43542
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an error when using XMLHttpRequest error codes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to leak the existence of an external protocol handler.
CVE-2021-43539
Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free when calling wasm instance methods. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVE-2021-43541
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when invoking protocol handlers for external protocols. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow external protocol handler parameters to escape.
CVE-2021-43540
Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error within WebExtensions with the correct permissions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension.
Impact
- Unauthorized Access
- Security Bypass
- Denial of Service
- Cross-Site Scripting
- Information Disclosure
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 94
- Mozilla Firefox ESR 91.3
- Mozilla Thunderbird 91.3
Remediation
Refer to Mozilla Foundation Security Advisory for patch, upgrade or suggested workaround information.