CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-38017
https://notcve.org/view.php?id=CVE-2021-38017
Insufficient policy enforcement in iframe sandbox in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Una aplicación inapropiada de políticas en iframe sandbox en Google Chrome versiones anteriores a 96.0.4664.45, permitía a un atacante remoto omitir las restricciones de navegación por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html https://crbug.com/1256822 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744 https://www.debian.org/security/2022/dsa-5046 • CWE-863: Incorrect Authorization •
CVSS: 9.6EPSS: 0%CPEs: 5EXPL: 1CVE-2021-38013
https://notcve.org/view.php?id=CVE-2021-38013
Heap buffer overflow in fingerprint recognition in Google Chrome on ChromeOS prior to 96.0.4664.45 allowed a remote attacker who had compromised a WebUI renderer process to potentially perform a sandbox escape via a crafted HTML page. Un desbordamiento del búfer de la pila en fingerprint recognition en Google Chrome en ChromeOS versiones anteriores a 96.0.4664.45, permitía a un atacante remoto que hubiera comprometido un proceso de renderización de la WebUI llevar a cabo potencialmente un filtrado de sandbox por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html https://crbug.com/1242392 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744 https://www.debian.org/security/2022/dsa-5046 • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-43543 – Mozilla: Bypass of CSP sandbox directive when embedding
https://notcve.org/view.php?id=CVE-2021-43543
Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content. ... Los documentos cargados con la directiva CSP sandbox podrían escapar de la restricción de scripts del sandbox al insertar contenido adicional. • https://bugzilla.mozilla.org/show_bug.cgi?id=1738418 https://lists.debian.org/debian-lts-announce/2021/12/msg00030.html https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html https://security.gentoo.org/glsa/202202-03 https://security.gentoo.org/glsa/202208-14 https://www.debian.org/security/2021/dsa-5026 https://www.debian.org/security/2022/dsa-5034 https://www.mozilla.org/security/advisories/mfsa2021-52 https://www.mozilla.org/security/advisories/mfsa2021-53 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23259 – Groovy Sandbox Bypass
https://notcve.org/view.php?id=CVE-2021-23259
Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE). Los usuarios autenticados con roles de Administrador o Desarrollador pueden ejecutar comandos del sistema operativo mediante el Script Groovy que usa Groovy lib para renderizar una página web. El script groovy no presenta restricciones de seguridad, lo que causará que atacantes ejecuten comandos arbitrarios de forma remota (RCE) • https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2021-38002
https://notcve.org/view.php?id=CVE-2021-38002
Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Un uso de memoria previamente liberada en Web Transport en Google Chrome versiones anteriores a 95.0.4638.69, permitía a un atacante remoto llevar a cabo un escape de sandbox por medio de una página HTML diseñada • https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html https://crbug.com/1260940 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W46HRT2UVHWSLZB6JZHQF6JNQWKV744 https://www.debian.org/security/2022/dsa-5046 • CWE-416: Use After Free •