{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "94", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "91.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "91.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."}], "problemTypes": [{"descriptions": [{"description": "Javascript alert box could have been spoofed onto an arbitrary domain", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-10T05:12:25", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-49/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-50/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-48/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1718571"}, {"name": "DSA-5026", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-5026"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"}, {"name": "DSA-5034", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"name": "GLSA-202202-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202202-03"}, {"name": "GLSA-202208-14", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-14"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2021-38509", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "94"}]}}, {"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "91.3"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "91.3"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Javascript alert box could have been spoofed onto an arbitrary domain"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2021-49/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-49/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2021-50/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-50/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2021-48/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2021-48/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1718571", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1718571"}, {"name": "DSA-5026", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-5026"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"}, {"name": "DSA-5034", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"name": "GLSA-202202-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202202-03"}, {"name": "GLSA-202208-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-14"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:44:23.355Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-49/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-50/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-48/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1718571"}, {"name": "DSA-5026", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-5026"}, {"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"}, {"name": "DSA-5034", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"name": "[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"name": "GLSA-202202-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202202-03"}, {"name": "GLSA-202208-14", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-14"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2021-38509", "datePublished": "2021-12-08T21:21:30", "dateReserved": "2021-08-10T00:00:00", "dateUpdated": "2024-08-04T01:44:23.355Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "A22FDA8A-B862-4383-9C8E-C162713AB01B", "versionEndExcluding": "94.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "DEA65EE6-233C-4CC1-83E8-316748943DAF", "versionEndExcluding": "91.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "65E19CA9-5FDF-4253-8D56-FD82239F7D93", "versionEndExcluding": "91.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."}, {"lang": "es", "value": "Debido a una secuencia inusual de eventos controlados por el atacante, un di\u00e1logo Javascript alert() con contenido arbitrario (aunque sin estilo) podr\u00eda mostrarse encima de una p\u00e1gina web no controlada de la elecci\u00f3n del atacante. Esta vulnerabilidad afecta a Firefox versiones anteriores a 94, Thunderbird versiones anteriores a 91.3 y Firefox ESR versiones anteriores a 91.3"}], "id": "CVE-2021-38509", "lastModified": "2022-12-09T15:22:38.027", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-08T22:15:09.050", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1718571"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202202-03"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-14"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-5026"}, {"source": "security@mozilla.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5034"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-48/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-49/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2021-50/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4116", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:91.3.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-11-03T00:00:00Z"}, {"advisory": "RHSA-2021:4134", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:91.3.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2021-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:4123", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:91.3.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-03T00:00:00Z"}, {"advisory": "RHSA-2021:4130", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:91.3.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:4133", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:91.3.0-2.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:4607", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "firefox-0:91.3.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4132", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:91.3.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-11-04T00:00:00Z"}, {"advisory": "RHSA-2021:4605", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:91.3.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-11-10T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Javascript alert box could have been spoofed onto an arbitrary domain", "id": "2019628", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2019628"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-1021", "details": ["Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."], "name": "CVE-2021-38509", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-11-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-38509\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-38509"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 91.3, firefox 91.3"}