CVE-2013-6634 — Improper Authentication in Google Chrome

CWE-287 — Improper Authentication2 documents2 sources

Severity

6.8MEDIUMNVD

EPSS

1.3%

top 20.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedDec 7

Latest updateMay 17

Description

The OneClickSigninHelper::ShowInfoBarIfPossible function in browser/ui/sync/one_click_signin_helper.cc in Google Chrome before 31.0.1650.63 uses an incorrect URL during realm validation, which allows remote attackers to conduct session fixation attacks and hijack web sessions by triggering improper sync after a 302 (aka Found) HTTP status code.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDgoogle/chrome31.0.1650.62+57

Patches

Patch: src.chromium.org ↗Patch: src.chromium.org ↗

🔴Vulnerability Details

GHSA

GHSA-74gf-43jg-q6vr: The OneClickSigninHelper::ShowInfoBarIfPossible function in browser/ui/sync/one_click_signin_helper↗2022-05-17

▶