CVEブラウザに戻る

CVE-2021-38503

CRITICAL

10.0

CVSS Severity Score

EPSS Score0.1280%

EPSS Percentile42.71th

Published2021年12月8日

Last Modified2024年11月21日

Vulnerability Description

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

Affected Platforms (CPE)

📦

Mozilla

Firefox

< 94.0

📦

Mozilla

Firefox Esr

< 91.3

📦

Mozilla

Thunderbird

< 91.3

💻

Debian

Debian Linux

= 9.0

💻

Debian

Debian Linux

= 10.0

💻

Debian

Debian Linux

= 11.0

References & Advisories

🔗 https://bugzilla.mozilla.org/show_bug.cgi?id=1729517

🔗 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html

🔗 https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

🔗 https://security.gentoo.org/glsa/202202-03

🔗 https://security.gentoo.org/glsa/202208-14

🔗 https://www.debian.org/security/2021/dsa-5026

🔗 https://www.debian.org/security/2022/dsa-5034

🔗 https://www.mozilla.org/security/advisories/mfsa2021-48/

関連する脆弱性情報

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...