Vulnerability Description
The getSVGDocument method in Google Chrome before 3.0.195.21 omits an unspecified "access check," which allows remote web servers to bypass the Same Origin Policy and conduct cross-site scripting attacks via unknown vectors, related to a user's visit to a different web server that hosts an SVG document.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chrome | <= 3.0.193.2 |
Related Weaknesses (CWE)
References
- http://code.google.com/p/chromium/issues/detail?id=21338Vendor Advisory
- http://googlechromereleases.blogspot.com/2009/09/stable-channel-update.html
- http://osvdb.org/58193
- http://secunia.com/advisories/36770Vendor Advisory
- http://www.securityfocus.com/bid/36416
- http://code.google.com/p/chromium/issues/detail?id=21338Vendor Advisory
- http://googlechromereleases.blogspot.com/2009/09/stable-channel-update.html
- http://osvdb.org/58193
- http://secunia.com/advisories/36770Vendor Advisory
- http://www.securityfocus.com/bid/36416
FAQ
What is CVE-2009-3264?
CVE-2009-3264 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The getSVGDocument method in Google Chrome before 3.0.195.21 omits an unspecified "access check," which allows remote web servers to bypass the Same Origin Policy and conduct cross-site scripting atta...
How severe is CVE-2009-3264?
CVE-2009-3264 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3264?
Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome.