{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2021-43532","title":"Title"},{"category":"description","text":"The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2021-43532","url":"https://www.suse.com/security/cve/CVE-2021-43532"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1192250 for CVE-2021-43532","url":"https://bugzilla.suse.com/1192250"}],"title":"SUSE CVE CVE-2021-43532","tracking":{"current_release_date":"2025-07-01T00:46:49Z","generator":{"date":"2023-02-15T03:36:56Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2021-43532","initial_release_date":"2023-02-15T03:36:56Z","revision_history":[{"date":"2023-02-15T03:36:56Z","number":"2","summary":"Current version"},{"date":"2024-10-05T05:21:13Z","number":"3","summary":"Current version"},{"date":"2024-10-21T18:27:45Z","number":"4","summary":"Current version"},{"date":"2025-01-01T04:08:52Z","number":"5","summary":"Current version"},{"date":"2025-01-10T02:34:43Z","number":"6","summary":"Current version"},{"date":"2025-02-15T04:43:41Z","number":"7","summary":"Current version"},{"date":"2025-02-17T05:06:13Z","number":"8","summary":"Current version"},{"date":"2025-03-15T08:37:24Z","number":"9","summary":"Current version"},{"date":"2025-04-25T04:28:28Z","number":"10","summary":"Current version"},{"date":"2025-05-01T06:09:04Z","number":"11","summary":"Current version"},{"date":"2025-06-18T00:02:42Z","number":"12","summary":"Current version"},{"date":"2025-06-27T00:51:55Z","number":"13","summary":"Current version"},{"date":"2025-07-01T00:46:49Z","number":"14","summary":"Current version"}],"status":"interim","version":"14"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp5"}}},{"category":"product_version","name":"MozillaFirefox","product":{"name":"MozillaFirefox","product_id":"MozillaFirefox","product_identification_helper":{"cpe":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/MozillaFirefox@?upstream=MozillaFirefox.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Point of Service 11 SP3","product_id":"SUSE Linux Enterprise Point of Service 11 SP3:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Point of Service 11 SP3"},{"category":"default_component_of","full_product_name":{"name":"MozillaFirefox as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox"},"product_reference":"MozillaFirefox","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP5"}]},"vulnerabilities":[{"cve":"CVE-2021-43532","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-43532"}],"notes":[{"category":"general","text":"The 'Copy Image Link' context menu action would copy the final image URL after redirects. By embedding an image that triggered authentication flows - in conjunction with a Content Security Policy that stopped a redirection chain in the middle - the final image URL could be one that contained an authentication token used to takeover a user account. If a website tricked a user into copy and pasting the image link back to the page, the page would be able to steal the authentication tokens. This was fixed by making the action return the original URL, before any redirects. This vulnerability affects Firefox < 94.","title":"CVE description"}],"product_status":{"known_affected":["SUSE Linux Enterprise Server for SAP Applications 12 SP5:MozillaFirefox"]},"references":[{"category":"external","summary":"CVE-2021-43532","url":"https://www.suse.com/security/cve/CVE-2021-43532"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1192250 for CVE-2021-43532","url":"https://bugzilla.suse.com/1192250"}],"remediations":[{"category":"no_fix_planned","details":"There is no fix planned for these products.\n","product_ids":["SUSE Linux Enterprise Point of Service 11 SP3:MozillaFirefox"]}],"threats":[{"category":"impact","date":"2021-11-02T12:45:26Z","details":"important"}],"title":"CVE-2021-43532"}]}