Cross-Origin CSS Loading Vulnerability in Google Chrome
CVE-2016-1692

5.3MEDIUM

Key Information:

Vendor
Debian
Status
Debian Linux
Ubuntu Linux
Enterprise Linux Desktop
Enterprise Linux Server
Vendor
CVE Published:
5 June 2016

Summary

A vulnerability exists in Google Chrome prior to version 51.0.2704.63, where the Blink engine allows Service Workers to load CSS stylesheets from different origins. This occurs even if the stylesheets are served with an incorrect MIME type. As a result, remote attackers can exploit this issue to circumvent the Same Origin Policy by designing carefully crafted websites, potentially leading to unauthorized access to sensitive data and compromised user privacy.

References

https://codereview.chromium.org/1861243002
x_refsource_CONFIRM
http://www.securityfocus.com/bid/90876
vdb-entryx_refsource_BID
http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.