Debian Security Advisory
DLA-3423-1 epiphany-browser -- LTS security update
- Date Reported:
- 15 May 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2023-26081.
- More information:
It was discovered that there was a potential credential stealing attack in
epiphany-browser, the default GNOME web browser.
When using a sandboxed Content Security Policy (CSP) or the HTML
iframetag, the sandboxed web content was trusted by the main/surrounding resource. After this change, however, the password manager is disabled entirely in this situations, so that the untrusted web content cannot exfiltrate passwords.
In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trick users into exfiltrating passwords, because autofill occurs in sandboxed contexts.
For Debian 10
Buster, this problem has been fixed in version 184.108.40.206-3~deb10u3.
We recommend that you upgrade your epiphany-browser packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS