Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-33594

Summary
Assigner-F-SecureUS
Assigner Org ID-126858f1-1b65-4b74-81ca-7034f7f7723f
Published At-11 Aug, 2021 | 10:28
Updated At-03 Aug, 2024 | 23:50
Rejected At-
Credits

F-Secure Safe browser for Android vulnerable to Address Bar Spoofing

An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:F-SecureUS
Assigner Org ID:126858f1-1b65-4b74-81ca-7034f7f7723f
Published At:11 Aug, 2021 | 10:28
Updated At:03 Aug, 2024 | 23:50
Rejected At:
▼CVE Numbering Authority (CNA)
F-Secure Safe browser for Android vulnerable to Address Bar Spoofing

An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

Affected Products
Vendor
F-Secure CorporationF-Secure
Product
F-Secure Mobile Security
Platforms
  • Android
Versions
Affected
  • From 18.4x before 18.3x* (custom)
Problem Types
TypeCWE IDDescription
textN/AF-Secure Safe browser for Android vulnerable to Address Bar Spoofing
Type: text
CWE ID: N/A
Description: F-Secure Safe browser for Android vulnerable to Address Bar Spoofing
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to version 18.4.x or newer from Google Play

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
x_refsource_MISC
https://www.f-secure.com/en/business/support-and-downloads/security-advisories
x_refsource_MISC
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594
x_refsource_MISC
Hyperlink: https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
Resource:
x_refsource_MISC
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories
Resource:
x_refsource_MISC
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
x_refsource_MISC
x_transferred
https://www.f-secure.com/en/business/support-and-downloads/security-advisories
x_refsource_MISC
x_transferred
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594
x_refsource_MISC
x_transferred
Hyperlink: https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve-notifications-us@f-secure.com
Published At:11 Aug, 2021 | 11:15
Updated At:19 Aug, 2021 | 18:45

An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
F-Secure Corporation
f-secure
>>safe>>Versions before 18.4.0(exclusive)
cpe:2.3:a:f-secure:safe:*:*:*:*:*:android:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-famecve-notifications-us@f-secure.com
Vendor Advisory
https://www.f-secure.com/en/business/support-and-downloads/security-advisoriescve-notifications-us@f-secure.com
Vendor Advisory
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594cve-notifications-us@f-secure.com
Vendor Advisory
Hyperlink: https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame
Source: cve-notifications-us@f-secure.com
Resource:
Vendor Advisory
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories
Source: cve-notifications-us@f-secure.com
Resource:
Vendor Advisory
Hyperlink: https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-33594
Source: cve-notifications-us@f-secure.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2021-33596
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
ShareView Details
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
CVSS Score-3.5||LOW
EPSS-0.27% / 50.43%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:26
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fake Apple login prompt in F-Secure SAFE browser for iOS

Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded malicious redirect while using F-Secure Safe Browser for iOS.

Action-Not Available
Vendor-F-Secure Corporation
Product-safeF-Secure Mobile Security
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CVE-2021-33572
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
ShareView Details
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
CVSS Score-3.5||LOW
EPSS-0.44% / 62.12%
||
7 Day CHG~0.00%
Published-21 Jun, 2021 | 11:10
Updated-16 Sep, 2024 | 23:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial-of-Service (DoS) Vulnerability

A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Linux Security whereby the FSAVD component used in certain F-Secure products can crash while scanning larger packages/fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the Anti-Virus engine.

Action-Not Available
Vendor-F-Secure Corporation
Product-elements_for_microsoft_365linux_securityendpoint_protectioncloud_protection_for_salesforceF-Secure Products
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2022-38163
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.15% / 36.47%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 00:00
Updated-02 May, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Drag and Drop spoof vulnerability was discovered in F-Secure SAFE Browser for Android and iOS version 19.0 and below. Drag and drop operation by user on address bar could lead to a spoofing of the address bar.

Action-Not Available
Vendor-n/aF-Secure Corporation
Product-safen/a
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CVE-2014-2844
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-3.5||LOW
EPSS-0.21% / 43.36%
||
7 Day CHG~0.00%
Published-18 Apr, 2014 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in F-Secure Messaging Secure Gateway 7.5.0 before Patch 1862 allows remote authenticated administrators to inject arbitrary web script or HTML via the new parameter in the SysUser module to admin.

Action-Not Available
Vendor-n/aF-Secure Corporation
Product-secure_messaging_secure_gatewayn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33595
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
ShareView Details
Matching Score-8
Assigner-126858f1-1b65-4b74-81ca-7034f7f7723f
CVSS Score-3.5||LOW
EPSS-0.30% / 53.07%
||
7 Day CHG~0.00%
Published-11 Aug, 2021 | 10:28
Updated-03 Aug, 2024 | 23:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing

A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address bar spoofing attack.

Action-Not Available
Vendor-F-Secure Corporation
Product-safeF-Secure Mobile Security
Details not found