1. Home
  2. CVE Database
  3. CVE-2016-5149
HIGH · 8.8

CVE-2016-5149

The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remo...

Vulnerability Description

The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a resource that initially has the about:blank URL.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
GoogleChrome<= 52.0.2743.116
OpensuseLeap42.1

Related Weaknesses (CWE)

CWE-94

References

FAQ

What is CVE-2016-5149?

CVE-2016-5149 is a vulnerability with a CVSS score of 8.8 (HIGH). The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remo...

How severe is CVE-2016-5149?

CVE-2016-5149 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-5149?

Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome, Opensuse Leap.