CVE-2016-5173
Published: 25 September 2016
The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
chromium-browser Launchpad, Ubuntu, Debian |
precise |
Ignored
|
| trusty |
Released
(53.0.2785.143-0ubuntu0.14.04.1.1142)
|
|
| upstream |
Released
(53.0.2785.113)
|
|
| xenial |
Released
(53.0.2785.143-0ubuntu0.16.04.1.1254)
|
|
| yakkety |
Released
(53.0.2785.143-0ubuntu1.1307)
|
|
|
oxide-qt Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |