CVE-2015-1304 — Improper Access Control in Google Chrome

CWE-284 — Improper Access Control9 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.9%

top 16.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedOct 12

Latest updateMay 17

Description

object-observe.js in Google V8, as used in Google Chrome before 45.0.2454.101, does not properly restrict method calls on access-checked objects, which allows remote attackers to bypass the Same Origin Policy via a (1) observe or (2) getNotifier call.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDgoogle/chrome45.0.2454.93

🔴Vulnerability Details

GHSA

GHSA-5f4w-ffvr-g82j: object-observe↗2022-05-17

▶

OSV

oxide-qt vulnerabilities↗2015-10-05

▶

OSV

CVE-2015-1304: object-observe↗2015-09-29

▶

📋Vendor Advisories

Ubuntu

Oxide vulnerabilities↗2015-10-05

▶

Red Hat

chromium-browser: Cross-origin bypass in V8↗2015-09-24

▶

Red Hat

webkitgtk: arbitrary code execution and denial of service via a crafted web site (WSA-2015-0001)↗2015-01-26

▶

💬Community

Bugzilla

CVE-2015-1304 chromium-browser: Cross-origin bypass in V8↗2015-09-25

▶

Bugzilla

CVE-2014-1304 webkitgtk: arbitrary code execution and denial of service via a crafted web site (WSA-2015-0001)↗2015-01-27

▶