{"api_version":"1","generated_at":"2026-04-22T23:31:50+00:00","cve":"CVE-2021-38506","urls":{"html":"https://cve.report/CVE-2021-38506","api":"https://cve.report/api/cve/CVE-2021-38506.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-38506","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-38506"},"summary":{"title":"CVE-2021-38506","description":"Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-12-08 22:15:00","updated_at":"2022-12-09 15:31:00"},"problem_types":["CWE-1021"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2021/dsa-5026","name":"DSA-5026","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5026-1 firefox-esr","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-50/","name":"https://www.mozilla.org/security/advisories/mfsa2021-50/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Thunderbird 91.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202208-14","name":"GLSA-202208-14","refsource":"GENTOO","tags":[],"title":"Mozilla Thunderbird: Multiple Vulnerabilities (GLSA 202208-14) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-48/","name":"https://www.mozilla.org/security/advisories/mfsa2021-48/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox 94 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-49/","name":"https://www.mozilla.org/security/advisories/mfsa2021-49/","refsource":"MISC","tags":[],"title":"Security Vulnerabilities fixed in Firefox ESR 91.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1730750","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1730750","refsource":"MISC","tags":[],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202202-03","name":"GLSA-202202-03","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox: Multiple vulnerabilities (GLSA 202202-03) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5034","name":"DSA-5034","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5034-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2863-1] firefox-esr security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2874-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-38506","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38506","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"38506","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-38506","qid":"159449","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2021-4116)"},{"cve":"CVE-2021-38506","qid":"159450","title":"Oracle Enterprise Linux Security Update for firefox (ELSA-2021-4123)"},{"cve":"CVE-2021-38506","qid":"159451","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-4130)"},{"cve":"CVE-2021-38506","qid":"159452","title":"Oracle Enterprise Linux Security Update for thunderbird (ELSA-2021-4134)"},{"cve":"CVE-2021-38506","qid":"178948","title":"Debian Security Update for firefox-esr (DSA 5026-1)"},{"cve":"CVE-2021-38506","qid":"178970","title":"Debian Security Update for firefox-esr (DLA 2863-1)"},{"cve":"CVE-2021-38506","qid":"178983","title":"Debian Security Update for thunderbird (DSA 5034-1)"},{"cve":"CVE-2021-38506","qid":"178986","title":"Debian Security Update for thunderbird (DLA 2874-1)"},{"cve":"CVE-2021-38506","qid":"179984","title":"Debian Security Update for firefox-esr (CVE-2021-38506)"},{"cve":"CVE-2021-38506","qid":"198556","title":"Ubuntu Security Notification for Firefox Vulnerabilities (USN-5131-1)"},{"cve":"CVE-2021-38506","qid":"198581","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5152-1)"},{"cve":"CVE-2021-38506","qid":"198641","title":"Ubuntu Security Notification for Thunderbird Vulnerabilities (USN-5248-1)"},{"cve":"CVE-2021-38506","qid":"239773","title":"Red Hat Update for firefox (RHSA-2021:4116)"},{"cve":"CVE-2021-38506","qid":"239774","title":"Red Hat Update for thunderbird (RHSA-2021:4133)"},{"cve":"CVE-2021-38506","qid":"239775","title":"Red Hat Update for thunderbird (RHSA-2021:4130)"},{"cve":"CVE-2021-38506","qid":"239776","title":"Red Hat Update for thunderbird (RHSA-2021:4134)"},{"cve":"CVE-2021-38506","qid":"239777","title":"Red Hat Update for firefox (RHSA-2021:4123)"},{"cve":"CVE-2021-38506","qid":"239778","title":"Red Hat Update for thunderbird (RHSA-2021:4132)"},{"cve":"CVE-2021-38506","qid":"239853","title":"Red Hat Update for firefox (RHSA-2021:4605)"},{"cve":"CVE-2021-38506","qid":"239860","title":"Red Hat Update for firefox (RHSA-2021:4607)"},{"cve":"CVE-2021-38506","qid":"257117","title":"CentOS Security Update for thunderbird (CESA-2021:4134)"},{"cve":"CVE-2021-38506","qid":"257118","title":"CentOS Security Update for firefox (CESA-2021:4116)"},{"cve":"CVE-2021-38506","qid":"296066","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 40.107.3 Missing (CPUOCT2021)"},{"cve":"CVE-2021-38506","qid":"376014","title":"Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2021-49)"},{"cve":"CVE-2021-38506","qid":"376015","title":"Mozilla Firefox Multiple Vulnerabilities (MFSA2021-48)"},{"cve":"CVE-2021-38506","qid":"376038","title":"Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-50)"},{"cve":"CVE-2021-38506","qid":"502070","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2021-38506","qid":"502082","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-38506","qid":"502381","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"503632","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"503634","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"503650","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"503669","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"503853","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2021-38506","qid":"506260","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2021-38506","qid":"710574","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 202202-03)"},{"cve":"CVE-2021-38506","qid":"710585","title":"Gentoo Linux Mozilla Thunderbird Multiple Vulnerabilities (GLSA 202208-14)"},{"cve":"CVE-2021-38506","qid":"751360","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:3651-1)"},{"cve":"CVE-2021-38506","qid":"751371","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2021:3745-1)"},{"cve":"CVE-2021-38506","qid":"751387","title":"SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:3721-1)"},{"cve":"CVE-2021-38506","qid":"751542","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:4150-1)"},{"cve":"CVE-2021-38506","qid":"751566","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2021:1635-1)"},{"cve":"CVE-2021-38506","qid":"940017","title":"AlmaLinux Security Update for thunderbird (ALSA-2021:4130)"},{"cve":"CVE-2021-38506","qid":"940364","title":"AlmaLinux Security Update for firefox (ALSA-2021:4123)"},{"cve":"CVE-2021-38506","qid":"960054","title":"Rocky Linux Security Update for firefox (RLSA-2021:4123)"},{"cve":"CVE-2021-38506","qid":"960744","title":"Rocky Linux Security Update for thunderbird (RLSA-2021:4130)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-38506","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"94","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"91.3","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"91.3","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Firefox could be coaxed into going into fullscreen mode without notification or warning"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2021-49/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-49/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-50/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-50/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2021-48/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2021-48/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1730750","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1730750"},{"refsource":"DEBIAN","name":"DSA-5026","url":"https://www.debian.org/security/2021/dsa-5026"},{"refsource":"MLIST","name":"[debian-lts-announce] 20211229 [SECURITY] [DLA 2863-1] firefox-esr security update","url":"https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html"},{"refsource":"DEBIAN","name":"DSA-5034","url":"https://www.debian.org/security/2022/dsa-5034"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220104 [SECURITY] [DLA 2874-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html"},{"refsource":"GENTOO","name":"GLSA-202202-03","url":"https://security.gentoo.org/glsa/202202-03"},{"refsource":"GENTOO","name":"GLSA-202208-14","url":"https://security.gentoo.org/glsa/202208-14"}]},"description":{"description_data":[{"lang":"eng","value":"Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3."}]}},"nvd":{"publishedDate":"2021-12-08 22:15:00","lastModifiedDate":"2022-12-09 15:31:00","problem_types":["CWE-1021"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"91.3.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"91.3.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"94.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"38506","Ordinal":"214168","Title":"CVE-2021-38506","CVE":"CVE-2021-38506","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"38506","Ordinal":"1","NoteData":"Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"38506","Ordinal":"2","NoteData":"2021-12-08","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"38506","Ordinal":"3","NoteData":"2022-01-04","Type":"Other","Title":"Modified"}]}}}