CVE-2017-5018

MEDIUM

Google Chrome <56.0.2924.76-56.0.2924.87 - XSS

Title source: llm

Description

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.

References (7)

[Issue Tracking] https://crbug.com/668665

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0206.html

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037718

[Release Notes, Vendor Advisory] https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95792

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3776

[Third Party Advisory] https://security.gentoo.org/glsa/201701-66

Scores

CVSS v3 6.1

EPSS 0.0044

EPSS Percentile 63.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

google/chrome < 55.0.2883.87

n/a/Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android < Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android

Timeline

Published Feb 17, 2017

Tracked Since Feb 18, 2026