CVE-2021-44748 - OpenCVE

A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
F-secure	Safe

Configuration 1 [-]

cpe:2.3:a:f-secure:safe:18.5:*:*:*:*:android:*:*

References

Link	Resource
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44748	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: F-SecureUS

Published: 2022-03-06T19:05:38

Updated: 2022-03-07T15:12:30

Reserved: 2021-12-08T00:00:00

Link: CVE-2021-44748

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-06T20:15:07.940

Modified: 2022-03-11T17:26:15.487

Link: CVE-2021-44748

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "F-Secure SAFE Browser for Android Version 18.5", "vendor": "F-Secure", "versions": [{"lessThan": "18.5x", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser for Android", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T15:12:30", "orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "shortName": "F-SecureUS"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44748"}], "solutions": [{"lang": "en", "value": "FIX : A fix has been released in the automatic update channel since 18th February 2022. No user action is required if automatic update is enabled."}], "source": {"discovery": "EXTERNAL"}, "title": "Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser for Android", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-notifications-us@f-secure.com", "ID": "CVE-2021-44748", "STATE": "PUBLIC", "TITLE": "Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser for Android"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "F-Secure SAFE Browser for Android Version 18.5", "version": {"version_data": [{"version_affected": "<", "version_value": "18.5x"}]}}]}, "vendor_name": "F-Secure"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser for Android"}]}]}, "references": {"reference_data": [{"name": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44748", "refsource": "MISC", "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44748"}]}, "solution": [{"lang": "en", "value": "FIX : A fix has been released in the automatic update channel since 18th February 2022. No user action is required if automatic update is enabled."}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f", "assignerShortName": "F-SecureUS", "cveId": "CVE-2021-44748", "datePublished": "2022-03-06T19:05:38", "dateReserved": "2021-12-08T00:00:00", "dateUpdated": "2022-03-07T15:12:30", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f-secure:safe:18.5:*:*:*:*:android:*:*", "matchCriteriaId": "49E9DA1D-41B3-42A5-9616-0606F5D06F74", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability affecting F-Secure SAFE browser was discovered whereby browsers loads images automatically this vulnerability can be exploited remotely by an attacker to execute the JavaScript can be used to trigger universal cross-site scripting through the browser. User interaction is required prior to exploitation, such as entering a malicious website to trigger the vulnerability."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad que afecta al navegador F-Secure SAFE por la que los navegadores cargan im\u00e1genes autom\u00e1ticamente esta vulnerabilidad puede ser explotada de forma remota por un atacante para ejecutar el JavaScript puede ser usado para desencadenar un ataque de tipo cross-site scripting universal mediante el navegador. Es requerida una interacci\u00f3n del usuario antes de la explotaci\u00f3n, como entrar en un sitio web malicioso para desencadenar la vulnerabilidad"}], "id": "CVE-2021-44748", "lastModified": "2022-03-11T17:26:15.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cve-notifications-us@f-secure.com", "type": "Secondary"}]}, "published": "2022-03-06T20:15:07.940", "references": [{"source": "cve-notifications-us@f-secure.com", "tags": ["Vendor Advisory"], "url": "https://www.f-secure.com/en/business/support-and-downloads/security-advisories/cve-2021-44748"}], "sourceIdentifier": "cve-notifications-us@f-secure.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}