Vulnerability Description
The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chrome | <= 46.0.2490.80 |
Related Weaknesses (CWE)
References
- http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html
- http://rhn.redhat.com/errata/RHSA-2015-1841.html
- http://www.debian.org/security/2015/dsa-3415
- http://www.securityfocus.com/bid/77537
- http://www.securitytracker.com/id/1034132
- https://code.google.com/p/chromium/issues/detail?id=520422
- https://codereview.chromium.org/1316803003
- https://security.gentoo.org/glsa/201603-09
- http://googlechromereleases.blogspot.com/2015/11/stable-channel-update.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00120.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00121.html
- http://rhn.redhat.com/errata/RHSA-2015-1841.html
- http://www.debian.org/security/2015/dsa-3415
FAQ
What is CVE-2015-1302?
CVE-2015-1302 is a vulnerability with a CVSS score of 7.5 (HIGH). The PDF viewer in Google Chrome before 46.0.2490.86 does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended emb...
How severe is CVE-2015-1302?
CVE-2015-1302 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-1302?
Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome.