#VU59663 Cross-site scripting in GNOME Web (Epiphany) - CVE-2021-45086

Cybersecurity Help s.r.o.

Published: 2022-01-17

Vulnerability identifier: #VU59663

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-45086

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GNOME Web (Epiphany)
Client/Desktop applications / Web browsers

Vendor: Gnome Development Team

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data, because a server's suggested_filename is used as the pdf_name value in PDF.js. A remote attacker can and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GNOME Web (Epiphany): 40.0 - 40.3, 41.0

External links
https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045
https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
https://www.debian.org/security/2022/dsa-5042

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for epiphany-browser

openEuler 22.03 LTS update for epiphany

Debian update for epiphany-browser

Multiple vulnerabilities in GNOME Web (Epiphany)