8.7 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.4%
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox, which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL, as demonstrated by the omnibox in localizations for right-to-left languages.
CPE | Name | Operator | Version |
---|---|---|---|
google:chrome | google chrome | le | 44.0.2403 |
googlechromereleases.blogspot.com/2015/09/stable-channel-update.html
lists.opensuse.org/opensuse-updates/2015-09/msg00029.html
lists.opensuse.org/opensuse-updates/2015-11/msg00013.html
rhn.redhat.com/errata/RHSA-2015-1712.html
www.debian.org/security/2015/dsa-3351
www.securitytracker.com/id/1033472
code.google.com/p/chromium/issues/detail?id=421332
codereview.chromium.org/1180393003/
codereview.chromium.org/1189553002/
security.gentoo.org/glsa/201603-09