CyberSec.Space Logo
Back to CVE Browser

CVE-2021-4140

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0830%
EPSS Percentile15.74th
PublishedDec 22, 2022
Last ModifiedApr 16, 2025

Vulnerability Description

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Affected Platforms (CPE)

πŸ“¦
Mozilla

Firefox

< 96.0
πŸ“¦
Mozilla

Firefox Esr

< 91.5
πŸ“¦
Mozilla

Thunderbird

< 91.5

References & Advisories

πŸ”— https://bugzilla.mozilla.org/show_bug.cgi?id=1746720
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-01/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-02/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-03/
πŸ”— https://bugzilla.mozilla.org/show_bug.cgi?id=1746720
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-01/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-02/
πŸ”— https://www.mozilla.org/security/advisories/mfsa2022-03/

Related Vulnerabilities

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...