Описание
If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
The Mozilla Foundation Security Advisory describes this flaw as:
If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox.
Отчет
Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | firefox | Out of support scope | ||
| Red Hat Enterprise Linux 6 | thunderbird | Out of support scope | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 7 | firefox | Fixed | RHSA-2022:0824 | 10.03.2022 |
| Red Hat Enterprise Linux 7 | thunderbird | Fixed | RHSA-2022:0850 | 14.03.2022 |
| Red Hat Enterprise Linux 8 | firefox | Fixed | RHSA-2022:0818 | 10.03.2022 |
| Red Hat Enterprise Linux 8 | thunderbird | Fixed | RHSA-2022:0845 | 14.03.2022 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | firefox | Fixed | RHSA-2022:0815 | 10.03.2022 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | thunderbird | Fixed | RHSA-2022:0847 | 14.03.2022 |
Показывать по
Дополнительная информация
Статус:
9.6 Critical
CVSS3
Связанные уязвимости
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
If an attacker could control the contents of an iframe sandboxed with ...
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
Уязвимость браузера Mozilla Firefox, связанная с недостатками разграничения доступа, позволяющая нарушителю обойти введенные ограничения безопасности
9.6 Critical
CVSS3