CVE-2015-3336 : Google Chrome before 42.0.2311.90 does not always ask the user before proceeding

Google Chrome before 42.0.2311.90 does not always ask the user before proceeding with CONTENT_SETTINGS_TYPE_FULLSCREEN and CONTENT_SETTINGS_TYPE_MOUSELOCK changes, which allows user-assisted remote attackers to cause a denial of service (UI disruption) by constructing a crafted HTML document containing JavaScript code with requestFullScreen and requestPointerLock calls, and arranging for the user to access this document with a file: URL.

Published 2015-04-19 10:59:16

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2015-3336

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Google » Chrome
Versions up to, including, (<=) 42.0.2311.60
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-3336

EPSS FAQ

0.85%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3336

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2015-3336

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3336

http://lists.opensuse.org/opensuse-updates/2015-04/msg00040.html

openSUSE-SU-2015:0748-1: moderate: Security update for Chromium
Third Party Advisory

CVEs referencing this url
https://code.google.com/p/chromium/issues/detail?id=455953

455953 - Security: file:// origins can use webkitRequestFullscreen and requestPointerLock without a prompt - chromium - Monorail
Exploit;Vendor Advisory
http://www.securityfocus.com/bid/74227

Google Chrome CVE-2015-3336 Denial of Service Vulnerability
Third Party Advisory;VDB Entry
http://www.debian.org/security/2015/dsa-3238

Debian -- Security Information -- DSA-3238-1 chromium-browser
Third Party Advisory

CVEs referencing this url
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html

Chrome Releases: Stable Channel Update
Release Notes;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-3336

Products affected by CVE-2015-3336

Exploit prediction scoring system (EPSS) score for CVE-2015-3336

CVSS scores for CVE-2015-3336

CWE ids for CVE-2015-3336

References for CVE-2015-3336