Insufficient Origin Policy Enforcement in Google Chrome for Android
CVE-2016-5196

8.8HIGH

Key Information:

Vendor

Google
Status
Google Chrome Prior To 54.0.2840.85 For Android
Vendor
CVE Published:
19 January 2017

What is CVE-2016-5196?

A security issue in Google Chrome for Android prior to version 54.0.2840.85 allows remote attackers to exploit insufficient enforcement of the Same Origin Policy on downloaded files. This vulnerability enables unauthorized access to any downloaded file and the ability to interact with websites, including those where the user is authenticated. Attackers can leverage crafted HTML pages to exploit this flaw and compromise user data.

Affected Version(s)

Google Chrome prior to 54.0.2840.85 for Android Google Chrome prior to 54.0.2840.85 for Android

References

https://chromereleases.googleblog.com/2016/10/chrome-for-...
x_refsource_CONFIRM
https://crbug.com/659492
x_refsource_CONFIRM
http://www.securityfocus.com/bid/94078
vdb-entryx_refsource_BID

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.