CyberSec.Space Logo
Back to CVE Browser

CVE-2021-38503

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1280%
EPSS Percentile42.71th
PublishedDec 8, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Affected Platforms (CPE)

πŸ“¦
Mozilla

Firefox

< 94.0
πŸ“¦
Mozilla

Firefox Esr

< 91.3
πŸ“¦
Mozilla

Thunderbird

< 91.3
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Debian

Debian Linux

= 11.0

References & Advisories

πŸ”— https://bugzilla.mozilla.org/show_bug.cgi?id=1729517
πŸ”— https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html
πŸ”— https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html
πŸ”— https://security.gentoo.org/glsa/202202-03
πŸ”— https://security.gentoo.org/glsa/202208-14
πŸ”— https://www.debian.org/security/2021/dsa-5026
πŸ”— https://www.debian.org/security/2022/dsa-5034
πŸ”— https://www.mozilla.org/security/advisories/mfsa2021-48/

Related Vulnerabilities

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...