CVE-2015-1285

2015-07-2300:59:00

CWE-200

[email protected]

web.nvd.nist.gov

cve-2015-1285

xssauditor

blink

google chrome

information security

remote attack

8.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.3%

JSON

The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack.

CPENameOperatorVersion
redhat:enterprise_linux_server_supplementary_eusredhat enterprise linux server supplementary euseq6.7z
redhat:enterprise_linux_desktop_supplementaryredhat enterprise linux desktop supplementaryeq6.0
redhat:enterprise_linux_server_supplementaryredhat enterprise linux server supplementaryeq6.0
redhat:enterprise_linux_workstation_supplementaryredhat enterprise linux workstation supplementaryeq6.0
debian:debian_linuxdebian debian linuxeq8.0
opensuse:opensuseopensuseeq13.1
opensuse:opensuseopensuseeq13.2
google:chromegoogle chromele43.0.2357.134

CPE	Name	Operator	Version
redhat:enterprise_linux_server_supplementary_eus	redhat enterprise linux server supplementary eus	eq	6.7z
redhat:enterprise_linux_desktop_supplementary	redhat enterprise linux desktop supplementary	eq	6.0
redhat:enterprise_linux_server_supplementary	redhat enterprise linux server supplementary	eq	6.0
redhat:enterprise_linux_workstation_supplementary	redhat enterprise linux workstation supplementary	eq	6.0
debian:debian_linux	debian debian linux	eq	8.0
opensuse:opensuse	opensuse	eq	13.1
opensuse:opensuse	opensuse	eq	13.2
google:chrome	google chrome	le	43.0.2357.134