5.6 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
71.4%
Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312. NOTE: it was later reported that 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta are also affected.
CPE | Name | Operator | Version |
---|---|---|---|
chrome | eq | 0.3.154.3 | |
chrome | eq | 0.2.149.30 | |
chrome | eq | 0.4.154.31 | |
chrome | eq | 1.0.154.39 | |
chrome | le | 1.0.154.48 | |
chrome | eq | 0.4.154.33 | |
chrome | eq | 1.0.154.43 | |
chrome | eq | 1.0.154.42 | |
chrome | eq | 0.4.154.18 | |
chrome | eq | 0.2.149.29 |