Content Security Policy Bypass in Google Chrome on Multiple Platforms
CVE-2017-5033

4.3MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 57.0.2987.98 For Mac, Windows And Linux, And 57.0.2987.108 For Android
Vendor
CVE Published:
24 April 2017

Summary

A vulnerability in Google Chrome allows remote attackers to circumvent content security policy restrictions due to improper handling of CSP settings in local scheme pages. This occurs specifically with the unsafe-inline keyword, enabling potential exploitation when a crafted HTML page is rendered. These flaws expose users to risks associated with malicious content being executed in their browser environments.

Affected Version(s)

Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android

References

https://chromereleases.googleblog.com/2017/03/stable-chan...
x_refsource_CONFIRM
https://twitter.com/Ma7h1as/status/907641276434063361
x_refsource_MISC
https://crbug.com/669086
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.