Debian Security Advisory
DLA-3423-1 epiphany-browser -- LTS security update
- Date Reported:
- 15 May 2023
- Affected Packages:
- epiphany-browser
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-26081.
- More information:
-
It was discovered that there was a potential credential stealing attack in
epiphany-browser, the default GNOME web browser.When using a sandboxed Content Security Policy (CSP) or the HTML
iframetag, the sandboxed web content was trusted by the main/surrounding resource. After this change, however, the password manager is disabled entirely in this situations, so that the untrusted web content cannot exfiltrate passwords.- CVE-2023-26081
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.
For Debian 10
Buster
, this problem has been fixed in version 3.32.1.2-3~deb10u3.We recommend that you upgrade your epiphany-browser packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
- CVE-2023-26081