Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-5124Cross-site Scripting in Google Chrome

CWE-79Cross-site Scripting8 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
19.1%
top 4.64%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Google ChromeDebian Linux
Timeline
PublishedFeb 7
Latest updateMay 14

Description

Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVDgoogle/chrome< 62.0.3202.62

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

2
GHSA
GHSA-g2xv-2cjq-c43m: Incorrect application of sandboxing in Blink in Google Chrome prior to 622022-05-14
OSV
CVE-2017-5124: Incorrect application of sandboxing in Blink in Google Chrome prior to 622018-02-07

💥Exploits & PoCs

1
Exploit-DB
Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting2017-10-03

🔍Detection Rules

1
Suricata
ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)2017-11-15

📋Vendor Advisories

1
Red Hat
chromium-browser: uxss with mhtml2017-10-17

💬Community

2
Bugzilla
CVE-2017-5124 chromium-browser: uxss with mhtml2017-10-18
Bugzilla
CVE-2017-15386 CVE-2017-15387 CVE-2017-15388 CVE-2017-15389 CVE-2017-15390 CVE-2017-15391 CVE-2017-15392 CVE-2017-15393 CVE-2017-15394 CVE-2017-15395 CVE-2017-5124 CVE-2017-5125 CVE-2017-5126 CVE-20172017-10-18