CVE-2021-45086

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggestedfilename is used as the pdfname value in PDF.js.

References

Affected packages

Git / gitlab.gnome.org/GNOME/epiphany

Affected ranges

Type: GIT
Repo: https://gitlab.gnome.org/GNOME/epiphany
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4088856b3371bda10adc3b818f58b3087b8f9dbc

Affected versions

2.*

2.27.4

2.27.5

2.27.90

2.27.91

2.27.92

2.29.1

2.29.3

2.29.5

2.29.6

2.29.90

2.29.91

2.29.92

2.30

2.30.1

2.30.2

2.31.2

2.31.4

2.31.5

2.91.1

2.91.1.1

2.91.2

2.91.3

2.91.4

2.91.4.1

2.91.5

2.91.6

2.91.90

2.91.91

2.91.91.1

2.91.92

3.*

3.0.0

3.1.2

3.1.5

3.1.90

3.1.91

3.1.91.1

3.1.92

3.10.0

3.10.1

3.11.1

3.11.2

3.11.3

3.11.4

3.11.90

3.11.91

3.11.92

3.12.0

3.12.1

3.13.90

3.13.91

3.14.0

3.14.1

3.15.1

3.15.90

3.15.92

3.16.0

3.16.1

3.17.1

3.17.2

3.17.91

3.18.0

3.19.1

3.19.90

3.19.91

3.19.92

3.2.0

3.20.0

3.21.1

3.21.2

3.21.3

3.21.4

3.23.1

3.23.1.1

3.23.1.2

3.23.2

3.23.2.1

3.23.3

3.23.4

3.23.5

3.23.90

3.23.91

3.23.91.1

3.23.92

3.23.93

3.24.0

3.24.1

3.25.1

3.25.2

3.25.3

3.25.4

3.25.90

3.25.91

3.25.92

3.26.0

3.27.1

3.27.2

3.27.3

3.27.4

3.27.90

3.29.1

3.29.2

3.29.3

3.29.4

3.29.90

3.29.91

3.29.92

3.3.1

3.3.2

3.3.3

3.3.4

3.3.4.1

3.3.5

3.3.90

3.3.91

3.3.92

3.31.1

3.31.2

3.31.3

3.31.4

3.31.90

3.33.1

3.33.2

3.33.3

3.33.4

3.33.90

3.33.91

3.33.92

3.34.0

3.35.1

3.35.2

3.35.3

3.35.90

3.35.91

3.35.92

3.36.0

3.37.1

3.37.2

3.37.3

3.37.90

3.37.91

3.37.92

3.38.0

3.5.1

3.5.3

3.5.4

3.5.5

3.5.90

3.5.91.1

3.5.92

3.6.0

3.7.1

3.7.3

3.7.5

3.7.90

3.7.91

3.7.92

3.9.2

3.9.3

3.9.90

3.9.91

40.*

40.0

40.1

40.2

40.3

40.alpha

40.beta

40.rc

Other

BEFORE_HARVES18

GNOME_2_10_ANCHOR

GNOME_2_12_BRANCHPOINT

GNOME_2_14_BRANCHPOINT

GNOME_2_16_BRANCHPOINT

GNOME_2_18_BRANCHPOINT

GTK_ENGINES_2_6_0

INITIAL

PRE_GNOME_2_14_BRANCHPOINT

RELEASE_2_14_0

RELEASE_2_15_1

RELEASE_2_15_2

RELEASE_2_15_3

RELEASE_2_15_4

RELEASE_2_15_92

RELEASE_2_16_0

RELEASE_2_17_2

RELEASE_2_17_3

RELEASE_2_17_4

RELEASE_2_17_5

RELEASE_2_17_90

RELEASE_2_17_91

RELEASE_2_17_92

RELEASE_2_18_0

RELEASE_2_19_2

RELEASE_2_19_5

RELEASE_2_19_6

RELEASE_2_19_90

RELEASE_2_21_4

RELEASE_2_21_5

RELEASE_2_21_90

RELEASE_2_21_92

RELEASE_2_23_91

RELEASE_2_5_91

Release070

Release072

Release073

Release081

Release082

Release083

Release090

Release091

Release092

Release110

Release111

Release1110

Release1111

Release1112

Release112

Release113

Release115

Release117

Release119

Release120

Release130

Release131

Release132

Release133

Release134

Release135

Release136

Release137

Release138

Release151

Release152

Release153

Release154

Release155

Release156

Release157

Release158

Release160

Release171

Release172

Release173

Release174

Release175

Release176

Release191

Release192

Release193

Release1931

Release194

Release195

Release1951

Release196

Release198

Release1999

WEBCORE_BRANCHPOINT

WEBKIT_BRANCHPOINT

XULRUNNER_BRANCHPOINT

gnome-2-8-branchpoint

help

pre-gnome-2-10-branchpoint

actual-2.*

actual-2.29.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45086.json"