Vulnerability Details : CVE-2021-38508
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
Products affected by CVE-2021-38508
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-38508
0.98%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-38508
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2021-38508
-
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-38508
-
https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
[SECURITY] [DLA 2874-1] thunderbird security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html
[SECURITY] [DLA 2863-1] firefox-esr security updateMailing List;Third Party Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1366818
Access DeniedIssue Tracking;Permissions Required;Vendor Advisory
-
https://www.debian.org/security/2021/dsa-5026
Debian -- Security Information -- DSA-5026-1 firefox-esrThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2021-50/
Security Vulnerabilities fixed in Thunderbird 91.3 — MozillaVendor Advisory
-
https://security.gentoo.org/glsa/202202-03
Mozilla Firefox: Multiple vulnerabilities (GLSA 202202-03) — Gentoo securityThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2021-49/
Security Vulnerabilities fixed in Firefox ESR 91.3 — MozillaVendor Advisory
-
https://www.debian.org/security/2022/dsa-5034
Debian -- Security Information -- DSA-5034-1 thunderbirdThird Party Advisory
-
https://security.gentoo.org/glsa/202208-14
Mozilla Thunderbird: Multiple Vulnerabilities (GLSA 202208-14) — Gentoo securityThird Party Advisory
-
https://www.mozilla.org/security/advisories/mfsa2021-48/
Security Vulnerabilities fixed in Firefox 94 — MozillaVendor Advisory
Jump to