CVE-2021-23999

HIGH

Firefox ESR <78.10, Thunderbird <78.10, Firefox <88 - Info Disclosure

Title source: llm

Description

If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.

References (4)

[Release Notes, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-14/

[Release Notes, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-16/

[Release Notes, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2021-15/

[Exploit, Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1691153

Scores

CVSS v3 8.8

EPSS 0.0015

EPSS Percentile 35.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-269 CWE-697

Status published

Products (3)

mozilla/firefox < 88.0

mozilla/firefox_esr < 78.10

mozilla/thunderbird < 78.10

Published Jun 24, 2021

Tracked Since Feb 18, 2026