CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24783 – Sandbox bypass leading to arbitrary code execution in Deno
https://notcve.org/view.php?id=CVE-2022-24783
Deno is a runtime for JavaScript and TypeScript. The versions of Deno between release 1.18.0 and 1.20.2 (inclusive) are vulnerable to an attack where a malicious actor controlling the code executed in a Deno runtime could bypass all permission checks and execute arbitrary shell code. This vulnerability does not affect users of Deno Deploy. The vulnerability has been patched in Deno 1.20.3. There is no workaround. • https://github.com/denoland/deno/security/advisories/GHSA-838h-jqp6-cf2f • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2021-23771 – Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23771
It is vulnerable to Sandbox Escape leading to Prototype pollution. • https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587 https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 3CVE-2021-44964 – lua: use after free allows Sandbox Escape
https://notcve.org/view.php?id=CVE-2021-44964
Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file. ... This flaw allows an attacker who can have a malicious script executed by the interpreter, to cause a use-after-free issue that may result in a sandbox escape. • http://lua-users.org/lists/lua-l/2021-11/msg00186.html http://lua-users.org/lists/lua-l/2021-12/msg00007.html http://lua-users.org/lists/lua-l/2021-12/msg00015.html http://lua-users.org/lists/lua-l/2021-12/msg00030.html https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerability https://access.redhat.com/security/cve/CVE-2021-44964 https://bugzilla.redhat.com/show_bug.cgi? • CWE-416: Use After Free •
CVSS: 9.6EPSS: 0%CPEs: 3EXPL: 1CVE-2022-26384 – Mozilla: iframe allow-scripts sandbox bypass
https://notcve.org/view.php?id=CVE-2022-26384
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7. Si un atacante pudiera controlar el contenido de un iframe en un espacio aislado con <code>allow-popups</code> pero no con <code>allow-scripts</code>, podría crear un enlace que, al hacer clic, conduciría a Ejecución de JavaScript en violación de la sandbox. Esta vulnerabilidad afecta a Firefox < 98, Firefox ESR < 91,7 y Thunderbird < 91.7. The Mozilla Foundation Security Advisory describes this flaw as: If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. • https://bugzilla.mozilla.org/show_bug.cgi?id=1744352 https://www.mozilla.org/security/advisories/mfsa2022-10 https://www.mozilla.org/security/advisories/mfsa2022-11 https://www.mozilla.org/security/advisories/mfsa2022-12 https://access.redhat.com/security/cve/CVE-2022-26384 https://bugzilla.redhat.com/show_bug.cgi?id=2062221 • CWE-179: Incorrect Behavior Order: Early Validation •
CVSS: 9.6EPSS: 0%CPEs: 5EXPL: 2CVE-2022-26486 – Mozilla Firefox Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2022-26486
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. ... An unexpected message in the WebGPU IPC framework could lead to an exploitable sandbox escape and a use-after-free issue. • https://bugzilla.mozilla.org/show_bug.cgi?id=1758070 https://www.mozilla.org/security/advisories/mfsa2022-09 https://access.redhat.com/security/cve/CVE-2022-26486 https://bugzilla.redhat.com/show_bug.cgi?id=2061735 • CWE-416: Use After Free •