CVE-2017-5018

medium

Description

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.

References

http://rhn.redhat.com/errata/RHSA-2017-0206.html

https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html

https://crbug.com/668665

https://security.gentoo.org/glsa/201701-66

http://www.debian.org/security/2017/dsa-3776

http://www.securitytracker.com/id/1037718

Details

Source: Mitre, NVD

Published: 2017-02-17

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium