CVE-2017-5018Cross-site Scripting in Google Chrome

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 36.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Chrome
Timeline
PublishedFeb 17
Latest updateMay 14

Description

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVDgoogle/chrome55.0.2883.87

🔴Vulnerability Details

2
GHSA
GHSA-6xg6-mxpp-jx88: Google Chrome prior to 562022-05-14
OSV
CVE-2017-5018: Google Chrome prior to 562017-02-17

📋Vendor Advisories

1
Red Hat
chromium-browser: universal xss in chrome://apps2017-01-25

💬Community

2
Bugzilla
CVE-2017-5018 chromium-browser: universal xss in chrome://apps2017-01-26
Bugzilla
chromium: various flaws [fedora-all]2017-01-26