CVE-2016-1657

CWE-2546 documents6 sources
Severity
4.3MEDIUM
EPSS
2.2%
top 15.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Google ChromeDebian Debian LinuxNovell Suse Package HUB FOR Suse Linux Enterprise+1 more
Timeline
PublishedApr 18
Latest updateMay 14

Description

The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDgoogle/chrome49.0.2623.112
Ubuntuchromium-browser< 50.0.2661.102-0ubuntu0.14.04.1.1117+1
NVDopensuse/leap42.1

Also affects: Debian Linux 8.0

🔴Vulnerability Details

3
GHSA
GHSA-595r-2p8v-2w88: The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl2022-05-14
CVEList
CVE-2016-1657: The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl2016-04-18
OSV
CVE-2016-1657: The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl2016-04-18

📋Vendor Advisories

1
Red Hat
chromium-browser: address bar spoofing2016-04-13

💬Community

1
Bugzilla
CVE-2016-1657 chromium-browser: address bar spoofing2016-04-14
CVE-2016-1657 (MEDIUM CVSS 4.3) | The WebContentsImpl::FocusLocationB | cvebase.io