The WebPageSerializerImpl::openTagToString function in WebKit/Source/web/WebPageSerializerImpl.cpp in the page serializer in Google Chrome before 47.0.2526.80 does not properly use HTML entities, which might allow remote attackers to inject arbitrary web script or HTML via a crafted document, as demonstrated by a double-quote character inside a single-quoted string.
http://googlechromereleases.blogspot.com/2015/12/stable-channel-update_8.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00017.html
http://rhn.redhat.com/errata/RHSA-2015-2618.html
http://www.debian.org/security/2015/dsa-3418
http://www.securityfocus.com/bid/78734
http://www.ubuntu.com/usn/USN-2860-1
https://code.google.com/p/chromium/issues/detail?id=542054
OR
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to 47.0.2526.73 (inclusive)
ID | Name | Product | Family | Severity |
---|---|---|---|---|
89902 | GLSA-201603-09 : Chromium: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
87868 | Ubuntu 14.04 LTS / 15.04 / 15.10 : oxide-qt vulnerabilities (USN-2860-1) | Nessus | Ubuntu Local Security Checks | critical |
87488 | openSUSE Security Update : Chromium (openSUSE-2015-912) | Nessus | SuSE Local Security Checks | critical |
9034 | Google Chrome < 47.0.2526.80 Multiple Vulnerabilities | Nessus Network Monitor | Web Clients | high |
87362 | FreeBSD : chromium -- multiple vulnerabilities (72c145df-a1e0-11e5-8ad0-00262d5ed8ee) | Nessus | FreeBSD Local Security Checks | critical |
87360 | Debian DSA-3418-1 : chromium-browser - security update | Nessus | Debian Local Security Checks | critical |
87336 | RHEL 6 : chromium-browser (RHSA-2015:2618) | Nessus | Red Hat Local Security Checks | critical |
87248 | Google Chrome < 47.0.2526.80 Multiple Vulnerabilities (Mac OS X) | Nessus | MacOS X Local Security Checks | critical |
87245 | Google Chrome < 47.0.2526.80 Multiple Vulnerabilities | Nessus | Windows | critical |