4.3
CVE-2011-3881
- EPSS 1.78%
- Veröffentlicht 25.10.2011 19:55:01
- Zuletzt bearbeitet 16.06.2026 23:34:05
- Quelle chrome-cve-admin@google.com
- CVE-Watchlists
- Unerledigt
WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and (5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.78% | 0.754 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html
http://secunia.com/advisories/48288
http://secunia.com/advisories/48377
http://www.securitytracker.com/id?1026774
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://code.google.com/p/chromium/issues/detail?id=96047
http://code.google.com/p/chromium/issues/detail?id=96885
http://code.google.com/p/chromium/issues/detail?id=98053
http://code.google.com/p/chromium/issues/detail?id=99512
http://code.google.com/p/chromium/issues/detail?id=99750
http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html
https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef
https://exchange.xforce.ibmcloud.com/vulnerabilities/70959
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12940