CVE-2021-45086
published 2021-12-16CVE-2021-45086: XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.29%
66.7th percentile
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | epiphany-browser | < epiphany-browser 41.2-1 (bookworm) | epiphany-browser 41.2-1 (bookworm) |
| gnome | epiphany | < 40.4 | 40.4 |
| gnome | epiphany | >= 41.0 < 41.1 | 41.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GNOME Web vulnerabilities
vendor_ubuntu·2022-08-10·CVSS 6.1
CVE-2022-29536 [MEDIUM] GNOME Web vulnerabilities
Title: GNOME Web vulnerabilities
Summary: Several security issues were fixed in GNOME Web.
It was discovered that GNOME Web incorrectly filtered certain strings. A
remote attacker could use this issue to perform cross-site scripting (XSS)
attacks. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-45085,
CVE-2021-45086, CVE-2021-45087)
It was discovered that GNOME Web incorrectly handled certain long page
titles. A remote attacker could use this issue to cause GNOME Web to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-29536)
Instructions: After a standard system update you need to restart GNOME Web to make all
the necessary changes.
Debian
CVE-2021-45086: epiphany-browser - XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 becau...
vendor_debian·2021·CVSS 6.1
CVE-2021-45086 [MEDIUM] CVE-2021-45086: epiphany-browser - XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 becau...
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
Scope: local
bookworm: resolved (fixed in 41.2-1)
bullseye: resolved (fixed in 3.38.2-1+deb11u1)
forky: resolved (fixed in 41.2-1)
sid: resolved (fixed in 41.2-1)
trixie: resolved (fixed in 41.2-1)
OSV
epiphany-browser vulnerabilities
osv·2022-08-10·CVSS 6.1
CVE-2021-45085 [MEDIUM] epiphany-browser vulnerabilities
epiphany-browser vulnerabilities
It was discovered that GNOME Web incorrectly filtered certain strings. A
remote attacker could use this issue to perform cross-site scripting (XSS)
attacks. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-45085,
CVE-2021-45086, CVE-2021-45087)
It was discovered that GNOME Web incorrectly handled certain long page
titles. A remote attacker could use this issue to cause GNOME Web to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-29536)
GHSA
GHSA-vv96-jq6f-v366: XSS can occur in GNOME Web (aka Epiphany) before 40
ghsa_unreviewed·2021-12-17
CVE-2021-45086 [MEDIUM] CWE-79 GHSA-vv96-jq6f-v366: XSS can occur in GNOME Web (aka Epiphany) before 40
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
OSV
CVE-2021-45086: XSS can occur in GNOME Web (aka Epiphany) before 40
osv·2021-12-16·CVSS 6.1
CVE-2021-45086 [MEDIUM] CVE-2021-45086: XSS can occur in GNOME Web (aka Epiphany) before 40
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045https://www.debian.org/security/2022/dsa-5042https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045https://www.debian.org/security/2022/dsa-5042
2021-12-16
Published