CVE-2016-1640 — Google Chrome vulnerability

CWE-175 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 26.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedMar 6

Latest updateMay 17

Description

The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49.0.2623.75 does not block installations upon deletion of an installation frame, which makes it easier for remote attackers to trick a user into believing that an installation request originated from the user's next navigation target via a crafted web site.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDgoogle/chrome48.0.2564.116

🔴Vulnerability Details

GHSA

GHSA-p47q-fxm6-v534: The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49↗2022-05-17

▶

OSV

CVE-2016-1640: The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49↗2016-03-06

▶

📋Vendor Advisories

Red Hat

chromium-browser: origin confusion in Extensions UI↗2016-03-02

▶

💬Community

Bugzilla

CVE-2016-1640 chromium-browser: origin confusion in Extensions UI↗2016-03-03

▶