Vulnerability Details : CVE-2015-1210
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Products affected by CVE-2015-1210
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:android:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1210
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1210
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2015-1210
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html
[security-announce] openSUSE-SU-2015:0441-1: important: Security updateMailing List;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100716
Google Chrome V8 bindings security bypass CVE-2015-1210 Vulnerability ReportVDB Entry
-
http://rhn.redhat.com/errata/RHSA-2015-0163.html
RHSA-2015:0163 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://src.chromium.org/viewvc/blink?revision=189365&view=revision
[blink] Revision 189365Patch;Vendor Advisory
-
http://www.ubuntu.com/usn/USN-2495-1
USN-2495-1: Oxide vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
Chrome Releases: Stable Channel UpdateVendor Advisory
-
http://www.securityfocus.com/bid/72497
Google Chrome Prior to 40.0.2214.109 Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
http://googlechromereleases.blogspot.com/2015/02/chrome-for-android-update.html
Chrome Releases: Chrome for Android UpdateVendor Advisory
-
http://www.securitytracker.com/id/1031709
Google Chrome Multiple Bugs Let Remote Users Execute Arbitrary Code and Bypass Same-Origin Restrictions - SecurityTrackerThird Party Advisory;VDB Entry
-
http://security.gentoo.org/glsa/glsa-201502-13.xml
Chromium: Multiple vulnerabilities (GLSA 201502-13) — Gentoo securityThird Party Advisory
-
https://code.google.com/p/chromium/issues/detail?id=453979
453979 - Security: UXSS in V8 - chromium - MonorailExploit;Issue Tracking;Patch;Vendor Advisory
Jump to