Vulnerability Details : CVE-2016-5204
Potential exploit
Leaking of an SVG shadow tree leading to corruption of the DOM tree in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2016-5204
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-5204
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5204
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2016-5204
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5204
-
http://www.securityfocus.com/bid/94633
Google Chrome Prior to 55.0.2883.75 Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2016-2919.html
RHSA-2016:2919 - Security Advisory - Red Hat Customer Portal
-
https://crbug.com/630870
630870 - Security: Universal XSS by intercepting a UA shadow tree - chromium - MonorailIssue Tracking;Patch
-
https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html
Chrome Releases: Stable Channel Update for DesktopVendor Advisory
-
https://security.gentoo.org/glsa/201612-11
Chromium: Multiple vulnerabilities (GLSA 201612-11) — Gentoo security
Jump to