CVE-2015-1235 — Cross-Site Request Forgery in Google Chrome

CWE-264 CWE-352 — Cross-Site Request Forgery7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

1.1%

top 21.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Canonical Ubuntu Linux Debian Linux

Timeline

PublishedApr 19

Latest updateMay 17

Description

The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDgoogle/chrome42.0.2311.60

Also affects: Debian Linux 8.0, Ubuntu Linux 14.04, 14.10, 15.04

🔴Vulnerability Details

GHSA

GHSA-mj5c-m7rm-67v6: The ContainerNode::parserRemoveChild function in core/dom/ContainerNode↗2022-05-17

▶

OSV

oxide-qt vulnerabilities↗2015-04-27

▶

OSV

CVE-2015-1235: The ContainerNode::parserRemoveChild function in core/dom/ContainerNode↗2015-04-19

▶

📋Vendor Advisories

Ubuntu

Oxide vulnerabilities↗2015-04-27

▶

Red Hat

chromium-browser: Cross-origin-bypass in HTML parser↗2015-04-14

▶

💬Community

Bugzilla

CVE-2015-1235 chromium-browser: Cross-origin-bypass in HTML parser↗2015-04-15

▶