CVE-2016-5173

HIGH

Google Chrome < 53.0.2785.101 - Improper Access Control

Title source: rule

Description

The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.

Exploits (1)

github NO CODE 31 stars

by OpenSISE · cpoc

https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/Browser/CVE-2016-5173

View Code ZIP pw:eip

References (10)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2016-1905.html

[Issue Tracking] https://crbug.com/468931

[Issue Tracking] https://crbug.com/471523

[Issue Tracking] https://crbug.com/497507

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036826

[Patch] https://codereview.chromium.org/1840453002

[Release Notes, Vendor Advisory] https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/92942

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3667

[Third Party Advisory] https://security.gentoo.org/glsa/201610-09

Scores

CVSS v3 7.1

EPSS 0.0075

EPSS Percentile 73.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Details

CWE

CWE-284

Status published

Products (1)

google/chrome < 53.0.2785.101

Published Sep 25, 2016

Tracked Since Feb 18, 2026