返回 CVE 瀏覽器

CVE-2021-4140

CRITICAL

10.0

CVSS Severity Score

EPSS Score0.0830%

EPSS Percentile15.74th

Published2022年12月22日

Last Modified2025年4月16日

Vulnerability Description

It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.

Affected Platforms (CPE)

📦

Mozilla

Firefox

< 96.0

📦

Mozilla

Firefox Esr

< 91.5

📦

Mozilla

Thunderbird

< 91.5

References & Advisories

🔗 https://bugzilla.mozilla.org/show_bug.cgi?id=1746720

🔗 https://www.mozilla.org/security/advisories/mfsa2022-01/

🔗 https://www.mozilla.org/security/advisories/mfsa2022-02/

🔗 https://www.mozilla.org/security/advisories/mfsa2022-03/

🔗 https://bugzilla.mozilla.org/show_bug.cgi?id=1746720

🔗 https://www.mozilla.org/security/advisories/mfsa2022-01/

🔗 https://www.mozilla.org/security/advisories/mfsa2022-02/

🔗 https://www.mozilla.org/security/advisories/mfsa2022-03/

相關漏洞威脅

CVE-2019-1170810.0

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the no...

CVE-2019-2513610.0

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and ...

CVE-2018-1850510.0

An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication betwee...

CVE-2020-1238810.0

The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this iss...