CVE-2015-1302

The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html
http://rhn.redhat.com/errata/RHSA-2015-1841.html
http://www.debian.org/security/2015/dsa-3415
http://www.securityfocus.com/bid/77537
http://www.securitytracker.com/id/1034132
https://code.google.com/p/chromium/issues/detail?id=520422
https://codereview.chromium.org/1316803003
https://security.gentoo.org/glsa/201603-09

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-11-11 11:59

Updated : 2024-02-04 18:53

NVD link : CVE-2015-1302

Mitre link : CVE-2015-1302

CVE.ORG link : CVE-2015-1302

JSON object : View

Products Affected

google

chrome

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2015-1302", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-11-11T11:59:00.103", "references": [{"url": "http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html", "source": "chrome-cve-admin@google.com"}, {"url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html", "source": "chrome-cve-admin@google.com"}, {"url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html", "source": "chrome-cve-admin@google.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2015-1841.html", "source": "chrome-cve-admin@google.com"}, {"url": "http://www.debian.org/security/2015/dsa-3415", "source": "chrome-cve-admin@google.com"}, {"url": "http://www.securityfocus.com/bid/77537", "source": "chrome-cve-admin@google.com"}, {"url": "http://www.securitytracker.com/id/1034132", "source": "chrome-cve-admin@google.com"}, {"url": "https://code.google.com/p/chromium/issues/detail?id=520422", "source": "chrome-cve-admin@google.com"}, {"url": "https://codereview.chromium.org/1316803003", "source": "chrome-cve-admin@google.com"}, {"url": "https://security.gentoo.org/glsa/201603-09", "source": "chrome-cve-admin@google.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc."}, {"lang": "es", "value": "El visor PDF en Google Chrome en versiones anteriores a 46.0.2490.86 no restringe adecuadamente mensajes de programaci\u00f3n de secuencias de comandos y la exposici\u00f3n de la API, lo que permite a atacantes remotos eludir la Same Origin Policy a trav\u00e9s de un embedder no intencionado o de la carga de un plugin no intencionado, relacionado con pdf.js y out_of_process_instance.cc."}], "lastModified": "2023-11-07T02:24:46.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D21D379E-92B7-4505-959C-1C08C36DC0A8", "versionEndIncluding": "46.0.2490.80"}], "operator": "OR"}]}], "sourceIdentifier": "chrome-cve-admin@google.com"}