Vulnerability Details : CVE-2023-26081
Potential exploit
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.
Products affected by CVE-2023-26081
- cpe:2.3:a:gnome:epiphany:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-26081
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-26081
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-26081
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-26081
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00015.html
-
https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x
Unsandboxed Password Manager · Advisory · google/security-research · GitHubExploit;Third Party Advisory
-
https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
Don't autofill passwords in sandboxed contexts (!1275) · Merge requests · GNOME / Epiphany · GitLabPatch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SADQCSQKTJKTTIJMEPY7GII6IVQSKEKV/
[SECURITY] Fedora 37 Update: epiphany-43.1-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFWUNG6E4ZT43EYNHKYXS7QVSO2VW2H2/
[SECURITY] Fedora 36 Update: epiphany-42.5-1.fc36 - package-announce - Fedora Mailing-Lists
Jump to