CVE-2016-1697

🗓️ 05 Jun 2016 23:00:00Reported by ChromeType

cve

cve🔗 web.nvd.nist.gov👁 140 Views🌐 WEB

CVE-2016-1697: FrameLoader::startLoad in Blin

Reporter	Title	Published	Views	Family All 49
ArchLinux	chromium: multiple issues	5 Jun 201600:00	–	archlinux
BDU FSTEC	The vulnerability of Google Chrome browser allows a violator to circumvent existing access restrictions policies.	17 Jun 201600:00	–	bdu_fstec
FreeBSD	chromium -- multiple vulnerabilities	1 Jun 201600:00	–	freebsd
CNVD	Google Chrome FrameLoader::startLoad Same Origin Policy Bypass Vulnerability	6 Jun 201600:00	–	cnvd
Cvelist	CVE-2016-1697	5 Jun 201623:00	–	cvelist
Debian	[SECURITY] [DSA 3594-1] chromium-browser security update	4 Jun 201618:04	–	debian
Debian	[SECURITY] [DSA 3594-1] chromium-browser security update	4 Jun 201618:04	–	debian
Debian CVE	CVE-2016-1697	5 Jun 201623:00	–	debiancve
Tenable Nessus	Debian DSA-3594-1 : chromium-browser - security update	6 Jun 201600:00	–	nessus
Tenable Nessus	FreeBSD : chromium -- multiple vulnerabilities (c039a761-2c29-11e6-8912-3065ec8fd3ec)	7 Jun 201600:00	–	nessus

NVD

Node

google chromeRange≤51.0.2704.63

Node

canonical ubuntu_linuxMatch14.04lts

OR

canonical ubuntu_linuxMatch15.10

OR

canonical ubuntu_linuxMatch16.04lts

OR

debian debian_linuxMatch8.0

OR

opensuse leapMatch42.1

OR

opensuse opensuseMatch13.2

OR

redhat enterprise_linux_desktopMatch6.0

OR

redhat enterprise_linux_serverMatch6.0

OR

redhat enterprise_linux_workstationMatch6.0

OR

suse linux_enterpriseMatch12.0

Source	Link
lists	www.lists.opensuse.org/opensuse-security-announce/2016-06/msg00004.html
access	www.access.redhat.com/errata/RHSA-2016:1201
securitytracker	www.securitytracker.com/id/1036026
debian	www.debian.org/security/2016/dsa-3594
lists	www.lists.opensuse.org/opensuse-security-announce/2016-06/msg00003.html
googlechromereleases	www.googlechromereleases.blogspot.com/2016/06/stable-channel-update.html
ubuntu	www.ubuntu.com/usn/USN-2992-1
codereview	www.codereview.chromium.org/2021373003
lists	www.lists.opensuse.org/opensuse-security-announce/2016-06/msg00005.html
crbug	www.crbug.com/613266

Parameter	Position	Path	Description	CWE
data:text/html,a	nested	data:text/html,a	POC uses data URL to inject content into iframe for SOP bypass.	CWE-284
data:text/xml,	nested	data:text/xml,	POC uses data URL payload to trigger navigations within frames.	CWE-284
about:blank	nested	about:blank	Navigation to about:blank as part of cross-origin framing sequence.	CWE-284
http://www.apple.com	nested	http://www.apple.com	External navigation payload used within the frame interaction sequence.	CWE-284
https://abc.xyz	nested	https://abc.xyz	External navigation payload used within the frame interaction sequence.	CWE-284
javascript:alert(location)	nested	javascript:alert(location)	JS URL used to execute code in the context of a frame.	CWE-284
data:text/html,	nested	data:text/html,	Another data URL payload used in the proof-of-concept navigation chain.	CWE-284

17 Jun 2026 00:42Current

8.2High risk

Vulners AI Score8.2

CVSS 26.8

CVSS 38.8

EPSS0.01849

cve-2016-1697 frameloader startload blink google chrome same origin policy nvd