CVE-2016-5173 Information

Feb 14, 2021 cve

Description

The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype which allows remote attackers to load unintended resources and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Reference

http://rhn.redhat.com/errata/RHSA-2016-1905.html http://www.debian.org/security/2016/dsa-3667 http://www.securityfocus.com/bid/92942 http://www.securitytracker.com/id/1036826 https://codereview.chromium.org/1840453002 https://crbug.com/468931 https://crbug.com/471523 https://crbug.com/497507 https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html https://security.gentoo.org/glsa/201610-09

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

7.1

Share on: