Vulnerability Details : CVE-2015-1236
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a crafted web site containing a media element.
Exploit prediction scoring system (EPSS) score for CVE-2015-1236
Probability of exploitation activity in the next 30 days: 0.57%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-1236
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-1236
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1236
-
http://rhn.redhat.com/errata/RHSA-2015-0816.html
RHSA-2015:0816 - Security Advisory - Red Hat Customer Portal
-
http://ubuntu.com/usn/usn-2570-1
USN-2570-1: Oxide vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-updates/2015-04/msg00040.html
openSUSE-SU-2015:0748-1: moderate: Security update for Chromium
-
http://www.securitytracker.com/id/1032209
Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Same-Origin Restrictions - SecurityTracker
-
http://lists.opensuse.org/opensuse-updates/2015-11/msg00024.html
openSUSE-SU-2015:1887-1: moderate: Security update for chromium
-
https://src.chromium.org/viewvc/blink?revision=189527&view=revision
[blink] Revision 189527
-
https://code.google.com/p/chromium/issues/detail?id=313939
313939 - Security: Cross-origin information disclosure through createMediaElementSource and OfflineAudioContext - chromium - Monorail
-
https://security.gentoo.org/glsa/201506-04
Chromium: Multiple vulnerabilities (GLSA 201506-04) — Gentoo security
-
http://www.debian.org/security/2015/dsa-3238
Debian -- Security Information -- DSA-3238-1 chromium-browser
-
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Chrome Releases: Stable Channel UpdateVendor Advisory
Products affected by CVE-2015-1236
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*