Vulnerability Details : CVE-2018-1000815
Brave Software Inc. Brave version version 0.22.810 to 0.24.0 contains a Other/Unknown vulnerability in function ContentSettingsObserver::AllowScript() in content_settings_observer.cc that can result in Websites can run inline JavaScript even if script is blocked, making attackers easier to track users. This attack appear to be exploitable via the victim must visit a specially crafted website. This vulnerability appears to have been fixed in 0.25.2.
Vulnerability category: Input validation
Products affected by CVE-2018-1000815
- cpe:2.3:a:brave:brave:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000815
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000815
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
4.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2018-1000815
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000815
-
https://github.com/brave/muon/pull/651
Issue: 15232 AllowScript should use atom::ContentSettingsManager like other Allow* methods in the observer by jumde · Pull Request #651 · brave/muon · GitHubPatch
-
https://github.com/brave/muon/commit/c18663aa171c6cdf03da3e8c70df8663645b97c4
Issue: 15232 AllowScript should use atom::ContentSettingsManager like… · brave/muon@c18663a · GitHubPatch
-
https://github.com/brave/browser-laptop/issues/15232
[hackerone] 414609 noscript issue · Issue #15232 · brave/browser-laptop · GitHubPatch;Third Party Advisory
Jump to