CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37271 – RestrictedPython vulnerable to arbitrary code execution via stack frame sandbox escape
https://notcve.org/view.php?id=CVE-2023-37271
11 Jul 2023 — Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. • https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-25136
https://notcve.org/view.php?id=CVE-2019-25136
19 Jun 2023 — A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and a sandbox escape. • https://bugzilla.mozilla.org/show_bug.cgi?id=1530709 •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 0CVE-2023-32409 – Apple Multiple Products WebKit Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2023-32409
30 May 2023 — A remote attacker may be able to break out of Web Content sandbox. ... Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit contain an unspecified vulnerability that can allow a remote attacker to break out of the Web Content sandbox. • https://support.apple.com/en-us/HT213757 •
CVSS: 10.0EPSS: 64%CPEs: 1EXPL: 2CVE-2023-32314 – Sandbox Escape
https://notcve.org/view.php?id=CVE-2023-32314
15 May 2023 — vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. ... As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ... A flaw was found in the vm2 sandbox. ... This may allow an attacker to run remote code execution on the host running the sandbox. • https://github.com/AdarkSt/Honeypot_Smart_Infrastructure • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-2136 – Google Chrome Skia Integer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2023-2136
19 Apr 2023 — Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. ... Google Chromium Skia contains an integer overflow vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. • https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html • CWE-190: Integer Overflow or Wraparound •
CVSS: 10.0EPSS: 84%CPEs: 1EXPL: 6CVE-2023-30547 – Sandbox Escape in vm2
https://notcve.org/view.php?id=CVE-2023-30547
17 Apr 2023 — vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. ... A flaw was found in the vm2 sandbox. ... This issue may allow an attacker to bypass the sandbox protections, which can lead to remot... • https://github.com/rvizx/CVE-2023-30547 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 10.0EPSS: 29%CPEs: 1EXPL: 1CVE-2023-29199 – vm2 Sandbox escape vulnerability
https://notcve.org/view.php?id=CVE-2023-29199
14 Apr 2023 — There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ... A flaw was found in the vm2 sandbox. ... This issue may allow an a... • https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c • CWE-755: Improper Handling of Exceptional Conditions CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-26405 – ZDI-CAN-20712: Object Prototype pollution which leads to API Restrictions Bypass
https://notcve.org/view.php?id=CVE-2023-26405
12 Apr 2023 — This vulnerability allows remote attackers to escape the sandbox on affected installations of Adobe Acrobat Reader DC. ... An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process. • https://helpx.adobe.com/security/products/acrobat/apsb23-24.html • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 8CVE-2023-26122
https://notcve.org/view.php?id=CVE-2023-26122
11 Apr 2023 — All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. ... All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. • https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce • CWE-265: Privilege Issues CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26919
https://notcve.org/view.php?id=CVE-2023-26919
10 Apr 2023 — delight-nashorn-sandbox 0.2.4 and 0.2.5 is vulnerable to sandbox escape. • https://github.com/javadelight/delight-nashorn-sandbox/issues/135 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •