CVE-2016-5149 — Code Injection in Google Chrome

CWE-94 — Code Injection6 documents5 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Opensuse Leap

Timeline

PublishedSep 11

Latest updateMay 14

Description

The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a resource that initially has the about:blank URL.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgoogle/chrome52.0.2743.116

▶NVDopensuse/leap42.1

🔴Vulnerability Details

GHSA

GHSA-4crp-674x-454f: The extensions subsystem in Google Chrome before 53↗2022-05-14

▶

OSV

CVE-2016-5149: The extensions subsystem in Google Chrome before 53↗2016-09-11

▶

📋Vendor Advisories

Red Hat

chromium-browser: script injection in extensions↗2016-08-31

▶

💬Community

Bugzilla

CVE-2016-5149 chromium-browser: script injection in extensions↗2016-09-01

▶

Bugzilla

chromium: various flaws [fedora-all]↗2016-09-01

▶