cbcvebase.
CVE-2021-1765
published 2021-04-02

CVE-2021-1765: This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security…

PriorityP179medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.41%
69.2th percentile
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. Maliciously crafted web content may violate iframe sandboxing policy.

Affected

12 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x>= 10.14 < 10.14.610.14.6
applemac_os_x>= 10.15 < 10.15.710.15.7
applemacos>= 11.0 < 11.211.2
applemacos>= unspecified < 11.211.2
applemacos_big_sur_11.2_security_update_2021-001_catalina_security_update_2021-001_mo
debianwebkit2gtk< webkit2gtk 2.30.6-1 (bookworm)webkit2gtk 2.30.6-1 (bookworm)
debianwpewebkit< webkit2gtk 2.30.6-1 (bookworm)webkit2gtk 2.30.6-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
webkitgtkwebkitgtk< 2.30.62.30.6

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is in the WebKit component; maliciously crafted web content triggers an iframe sandboxing policy violation
  • Affected component is WebKitGTK and WPE WebKit in versions prior to 2.30.6; monitor for exploitation attempts against these versions
  • ·Fix is available in WebKitGTK/WPE WebKit 2.30.6 and later; versions prior to 2.30.6 are vulnerable
  • ·The highest threat from this vulnerability is to data integrity, not confidentiality or availability
  • ·Red Hat Enterprise Linux 9 webkit2gtk3 package is not affected; RHEL 6 and 7 packages are out of support scope

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.