CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
71.7%
WebKit, as used in Google Chrome before 15.0.874.102 and Android before
4.4, allows remote attackers to bypass the Same Origin Policy and conduct
Universal XSS (UXSS) attacks via vectors related to (1) the
DOMWindow::clear function and use of a selection object, (2) the
Object::GetRealNamedPropertyInPrototypeChain function and use of an
proto property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL
function and use of a javascript: URL, (4) incorrect origins for
XSLT-generated documents in the XSLTProcessor::createDocumentFromSource
function, and (5) improper handling of synchronous frame loads in the
ScriptController::executeIfJavaScriptURL function.
Author | Note |
---|---|
jdstrand | qt4-x11 unmaintained upstream (see README.webkit for details) |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 10.04 | noarch | chromium-browser | < 23.0.1271.97-0ubuntu0.10.04.1 | UNKNOWN |
ubuntu | 11.10 | noarch | chromium-browser | < 23.0.1271.97-0ubuntu0.11.10.1 | UNKNOWN |