CVE-2018-20071 — Cross-site Scripting in Google Chrome

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 64.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome

Timeline

PublishedJan 9

Latest updateMay 14

Description

Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5google/chromeunspecified — 70.0.3538.67

▶NVDgoogle/chrome< 70.0.3538.67

🔴Vulnerability Details

GHSA

GHSA-fp62-x6pf-8qrh: Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70↗2022-05-14

▶

OSV

CVE-2018-20071: Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70↗2019-01-09

▶