CVE-2015-1241 — UI Misrepresentation / Clickjacking in Google Chrome

CWE-1021 — UI Misrepresentation / Clickjacking CWE-352 — Cross-Site Request Forgery CWE-20 — Improper Input Validation CWE-1241 — Use of Predictable Algorithm in Random Number Generator8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

2.8%

top 13.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Canonical Ubuntu Linux Debian Linux +8 more

Timeline

PublishedApr 19

Latest updateMay 17

Description

Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

▶NVDgoogle/chrome< 42.0.2311.90

▶NVDopensuse/opensuse13.1, 13.2+1

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_workstation6.0

Also affects: Debian Linux 8.0, Linux Enterprise 12.0, Ubuntu Linux 14.04, 14.10, 15.04, Enterprise Linux 6.6

🔴Vulnerability Details

GHSA

GHSA-5rxr-h5mf-7p7w: Google Chrome before 42↗2022-05-17

▶

CVEList

CVE-2015-1241: Google Chrome before 42↗2015-04-19

▶

OSV

CVE-2015-1241: Google Chrome before 42↗2015-04-19

▶

📋Vendor Advisories

Ubuntu

Oxide vulnerabilities↗2015-04-27

▶

Red Hat

chromium-browser: tap-jacking vulnerability↗2015-04-14

▶

Red Hat

gcc: Predictable randomness from std::random_device↗2015-02-20

▶

💬Community

Bugzilla

CVE-2015-1241 chromium-browser: tap-jacking vulnerability↗2015-04-15

▶