CVE-2017-5007

MEDIUM

Google Chrome <56.0.2924.76-56.0.2924.87 - UXSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-5007. PoCs published by Ang-YC.

Description

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

Exploits (1)

nomisec NO CODE

by Ang-YC · poc

https://github.com/Ang-YC/CVE-2017-5007

View Code ZIP pw:eip

References (7)

Core 7

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/95792

Release Notes, Vendor Advisory x_refsource_confirm

https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201701-66

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2017-0206.html

Issue Tracking x_refsource_confirm

https://crbug.com/671102

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1037718

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2017/dsa-3776

Scores

CVSS v3 6.1

EPSS 0.0422

EPSS Percentile 88.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

google/chrome < 55.0.2883.87

n/a/Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android

Published Feb 17, 2017

Tracked Since Feb 18, 2026