Mozilla releases security updates for Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3
Hello everyone,
Mozilla has fixed several high severity security vulnerabilities in Firefox 94, Firefox ESR 91.3, and Thunderbird 91.3. The details of the vulnerabilities fixed are as follows: Platform | CVE ID | Vulnerability | Impact |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38503 | iframe sandbox rules did not apply to XSLT stylesheets | High |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38504 | Use-after-free in file picker dialog | High |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38505 | Windows 10 Cloud Clipboard may have recorded sensitive user data | High |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38506 | Firefox could be coaxed into going into fullscreen mode without notification or warning | High |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38507 | Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports | High |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38508 | Permission Prompt could be overlaid, resulting in user confusion and potential spoofing | Moderate |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38509 | Javascript alert box could have been spoofed onto an arbitrary domain | Moderate |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | CVE-2021-38510 | Download Protections were bypassed by .inetloc files on Mac OS | Moderate |
Firefox 94 | MOZ-2021-0003 | Universal XSS in Firefox for Android via QR Code URLs | High |
Firefox 94 | MOZ-2021-0004 | Web Extensions could access pre-redirect URL when their context menu was triggered by a user | Moderate |
Firefox 94 | MOZ-2021-0005 | 'Copy Image Link' context menu action could have been abused to see authentication tokens | Low |
Firefox 94 | MOZ-2021-0006 | URL Parsing may incorrectly parse internationalized domains | Low |
Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | MOZ-2021-0007 | Memory safety bugs fixed in Firefox 94, Firefox ESR 91.3, Thunderbird 91.3 | High |
Firefox ESR 91.3, Thunderbird 91.3 | MOZ-2021-0008 | Use-after-free in HTTP2 Session object | High |
To patch these vulnerabilities, initiate a sync between the Central Patch Repository and the Desktop Central server. Once synced, search for the following Patch IDs or Bulletin IDs and deploy them to your target systems.
Patch ID | Bulletin ID | Patch Description |
322240 | TU-054 | Mozilla Firefox ESR (91) (x64) (91.3.0) |
322239 | TU-054 | Mozilla Firefox ESR (91) (91.3.0) |
322237 | TU-027 | Mozilla Firefox (94.0) |
322238 | TU-027 | Mozilla Firefox (x64) (94.0) |
322244 | TU-028 | Mozilla Thunderbird (91) (91.3.0) |
322245 | TU-028 | Mozilla Thunderbird (91) (x64) (91.3.0) |
Cheers,
The ManageEngine Team