CVE-2016-5218 — Improper Input Validation in Google Chrome

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 43.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedJan 19

Latest updateMay 14

Description

The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled navigation within PDFs, which allowed a remote attacker to temporarily spoof the contents of the Omnibox (URL bar) via a crafted HTML page containing PDF data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDgoogle/chrome54.0.2840.99

🔴Vulnerability Details

GHSA

GHSA-q9qw-4hxf-q5wf: The extensions API in Google Chrome prior to 55↗2022-05-14

▶

OSV

CVE-2016-5218: The extensions API in Google Chrome prior to 55↗2017-01-19

▶

📋Vendor Advisories

Red Hat

chromium-browser: address spoofing in omnibox↗2016-12-01

▶

💬Community

Bugzilla

CVE-2016-5218 chromium-browser: address spoofing in omnibox↗2016-12-02

▶

Bugzilla

chromium: various flaws [fedora-all]↗2016-12-02

▶