Vulnerability in Google Chrome Extensions Allows Bypass of Same Origin Policy
CVE-2016-1658

4.3MEDIUM

Key Information:

Vendor
Novell
Status
Suse Package Hub For Suse Linux Enterprise
Leap
Vendor
CVE Published:
18 April 2016

Summary

The Extensions subsystem in specific versions of Google Chrome has a weakness in how it handles origin comparisons via the GetOrigin method. This issue allows remote attackers to potentially bypass the Same Origin Policy, thus gaining unauthorized access to sensitive information through cleverly crafted browser extensions. Users of affected versions should consider updating their browser to mitigate this vulnerability.

References

http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE
https://codereview.chromium.org/1658913002
x_refsource_CONFIRM
http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-1658 : Vulnerability in Google Chrome Extensions Allows Bypass of Same Origin Policy | SecurityVulnerability.io