CVE-2016-5173
HIGHGoogle Chrome < 53.0.2785.101 - Same Origin Policy Bypass via Object.prototype Access
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2016-5173. PoCs published by OpenSISE.
Description
The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.
Exploits (1)
github
NO CODE
31 stars
by OpenSISE · cpoc
https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/Browser/CVE-2016-5173
References (10)
Core 10
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3667
Patch x_refsource_confirm
https://codereview.chromium.org/1840453002
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036826
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92942
Release Notes, Vendor Advisory x_refsource_confirm
https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desktop_13.html
Issue Tracking x_refsource_confirm
https://crbug.com/468931
Issue Tracking x_refsource_misc
https://crbug.com/497507
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201610-09
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1905.html
Issue Tracking x_refsource_misc
https://crbug.com/471523
Scores
CVSS v3
7.1
EPSS
0.0101
EPSS Percentile
58.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-284
Status
published
Products (1)
google/chrome
< 53.0.2785.101
Published
Sep 25, 2016
Tracked Since
Feb 18, 2026