Vulnerability Details : CVE-2010-1236
The protocolIs function in platform/KURLGoogle.cpp in WebCore in WebKit before r55822, as used in Google Chrome before 4.1.249.1036 and Flock Browser 3.x before 3.0.0.4112, does not properly handle whitespace at the beginning of a URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted javascript: URL, as demonstrated by a \x00javascript:alert sequence.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2010-1236
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.190.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.169.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.42.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.25:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.28:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.38:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.169.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:1.0.154.59:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.38.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.38.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.38.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.40.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.172.30:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:1.0.154.64:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:1.0.154.65:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.182.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.36:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:2.0.170.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:1.0.154.53:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:0.1.42.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.244.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.78:beta:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1010:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1011:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1018:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1019:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1026:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1027:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1028:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.60:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.239.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.237.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.222.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.221.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.24:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.25:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.33:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1001:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1004:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1012:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1013:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1006:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1007:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1014:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1015:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1022:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1023:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1031:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1032:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.243.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.242.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.235.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.229.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.222.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.212.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.21:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.28:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.29:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.245.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.245.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.14:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.12:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.52:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.53:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.50:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.61:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.58:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.39:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.38:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.44:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.43:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.71:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.67:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.250.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.259.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.258.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.72:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.76:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.34:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.248.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.19:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.18:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.57:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.54:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.65:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.41:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.40:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.48:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.47:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.68:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.304.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.252.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.254.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.80:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.262.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.255.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.9:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.292.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.294.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.289.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.302.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.301.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.267.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.266.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.276.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.275.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1020:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1021:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1029:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1030:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.237.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.236.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.222.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.212.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.26:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.27:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.35:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.36:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.11:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.10:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.20:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.55:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.63:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.46:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.45:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.70:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.305.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.78:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.81:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.82:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.256.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.257.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.74:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.73:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.290.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.288.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.302.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.299.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.265.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.264.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.275.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.272.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:3.0.195.38:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.75:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.288.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.302.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.300.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.271.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.263.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.287.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1008:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1009:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1016:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1017:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1024:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1025:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1033:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.1.249.1034:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.241.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.240.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.224.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.9:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.223.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.222.12:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.22:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.23:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.30:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.31:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.32:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.247.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.246.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.17:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.16:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.51:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.56:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.59:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.64:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.37:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.42:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.49:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.66:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.69:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.250.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.251.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.260.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.261.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.249.77:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.295.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.296.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.303.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.302.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.269.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.268.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.286.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.278.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:4.0.277.0:*:*:*:*:*:*:*
- cpe:2.3:a:flock:flock:3.0.0.4094:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2010-1236
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2010-1236
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2010-1236
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-1236
-
http://src.chromium.org/viewvc/chrome?view=rev&revision=41244
[chrome] Revision 41244
-
http://flock.com/security/
Flock – A Secure Team Communication & Collaboration App
-
http://www.vupen.com/english/advisories/2011/0212
Webmail | OVH- OVHVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2011:002
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14067
Repository / Oval Repository
-
http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html
Chrome Releases: Stable Channel Update
-
http://code.google.com/p/chromium/issues/detail?id=37383
37383 - javascript: url with a leading NULL byte can bypass cross origin protection. - chromium - MonorailExploit
-
http://codereview.chromium.org/858001
Issue 858001: Merge WebKit r55822:... - Code Review
-
https://bugs.webkit.org/show_bug.cgi?id=35948
Bug Access Denied
Jump to