Chrome Universal XSS using plugin objects (CVE-2015-6772)

2017-04-24T00:00:00
ID SSV:93028
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00

Description

VULNERABILITY DETAILS

This is a regression from issue 524120. Now that the widget updates are deferred until after the frame is detached from the document (and beyond the lifetime of ScriptForbiddenScope, too), it is possible to attach another document to the frame before a new document is installed. The attached document can then be used to bypass the same-origin policy.

VERSION

Chrome 47.0.2526.27 (Beta)
Chrome 48.0.2540.0 (Dev)
Chromium 48.0.2544.0 + Pepper Flash 19.0.0.207 (Release build compiled today)

Attachment: CVE-2015-6772