CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
78.7%
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in
Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK
characters in the omnibox, which makes it easier for remote attackers to
spoof the SSL lock icon by placing one of these characters at the end of a
URL, as demonstrated by the omnibox in localizations for right-to-left
languages.
Author | Note |
---|---|
chrisccoulson | URL displayed to the user in Oxide embedders is decoded by Qt |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu0.14.04.1.1097 | UNKNOWN |
ubuntu | 15.04 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu0.15.04.1.1181 | UNKNOWN |
ubuntu | 15.10 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu1.1198 | UNKNOWN |