PT-2021-15641 · Mozilla+4 · Firefox+4

Armin Ebert

Published

2021-03-23

Updated

2024-12-12

CVE-2021-23986

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 87

Description: A malicious extension with the search permission could bypass the same-origin policy by installing a new search engine whose favicon references a cross-origin URL. The response to this cross-origin request could be read by the extension, potentially disclosing sensitive information about local-network resources or resources that use IP-based authentication. The cross-origin request was made without cookies, limiting the sensitive information disclosed.

Recommendations: For Firefox versions prior to 87, update to version 87 or later to resolve the issue. As a temporary workaround, consider disabling the search permission for extensions until a patch is available. Restrict access to sensitive local-network resources and resources that perform IP-based authentication to minimize the risk of exploitation.

Exploit

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-346

Related Identifiers

ALT-PU-2021-1543

ALT-PU-2021-2725

ALT-PU-2021-2881

ALT-PU-2021-3368

ALT-PU-2021-3369

ALT-PU-2022-1781

ALT-PU-2022-1782

CVE-2021-23986

OESA-2023-1673

OESA-2023-1674

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

USN-4893-1

Affected Products

Alt Linux

Astra Linux

Firefox

Linuxmint

Ubuntu

PT-2021-15641 · Mozilla+4 · Firefox+4

CVE-2021-23986

Weakness Enumeration

Related Identifiers

Affected Products

References · 2182