CVE-2016-1658
MEDIUMGoogle Chrome < 49.0.2623.112 - Unauthenticated Exposure of Sensitive Information via Extension Origin Comparison Bypass
Title source: llmDescription
The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension.
References (10)
Core 10
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00050.html
Patch x_refsource_confirm
https://codereview.chromium.org/1658913002
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00049.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0638.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00040.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3549
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00041.html
Release Notes, Vendor Advisory x_refsource_confirm
http://googlechromereleases.blogspot.com/2016/04/stable-channel-update_13.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201605-02
Issue Tracking x_refsource_confirm
https://crbug.com/573317
Scores
CVSS v3
4.3
EPSS
0.0072
EPSS Percentile
72.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
CWE-284
Status
published
Products (4)
debian/debian_linux
8.0
google/chrome
< 49.0.2623.112
novell/suse_package_hub_for_suse_linux_enterprise
12
opensuse/leap
42.1
Published
Apr 18, 2016
Tracked Since
Feb 18, 2026