5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.4%
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in
Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK
characters in the omnibox, which makes it easier for remote attackers to
spoof the SSL lock icon by placing one of these characters at the end of a
URL, as demonstrated by the omnibox in localizations for right-to-left
languages.
Author | Note |
---|---|
chrisccoulson | URL displayed to the user in Oxide embedders is decoded by Qt |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu0.14.04.1.1097 | UNKNOWN |
ubuntu | 15.04 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu0.15.04.1.1181 | UNKNOWN |
ubuntu | 15.10 | noarch | chromium-browser | < 45.0.2454.85-0ubuntu1.1198 | UNKNOWN |