7.1

CVE-2016-5173

EPSS 0.75%
Veröffentlicht 25.09.2016 20:59:05
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle chrome-cve-admin@google.com
CVE-Watchlists
Login
Unerledigt
Login

The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Chrome Version <= 53.0.2785.101

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.75%	0.722

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	2.8	3.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://security.gentoo.org/glsa/201610-09

http://www.debian.org/security/2016/dsa-3667

http://rhn.redhat.com/errata/RHSA-2016-1905.html

http://www.securityfocus.com/bid/92942

http://www.securitytracker.com/id/1036826

https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html

https://codereview.chromium.org/1840453002

https://crbug.com/468931

https://crbug.com/471523

https://crbug.com/497507

https://nvd.nist.gov/vuln/detail/CVE-2016-5173

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-5173

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-5173

EUVD