| Vulnerability Name: | CVE-2009-1413 (CCN-50447) | ||||||||
| Assigned: | 2009-04-23 | ||||||||
| Published: | 2009-04-23 | ||||||||
| Updated: | 2017-08-17 | ||||||||
| Summary: | Google Chrome 1.0.x does not cancel timeouts upon a page transition, which makes it easier for attackers to conduct Universal XSS attacks by calling setTimeout to trigger future execution of JavaScript code, and then modifying document.location to arrange for JavaScript execution in the context of an arbitrary web site. Note: this can be leveraged for a remote attack by exploiting a chromehtml: argument-injection vulnerability. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:UR)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MISC Type: Vendor Advisory http://chromium.googlecode.com/issues/attachment?aid=5579180911289877192&name=Google+Chrome+Advisory.doc Source: CCN Type: Google Code Web site chromium Issue 9860: ChromeHTML URI handler vulnerability Source: CONFIRM Type: UNKNOWN http://code.google.com/p/chromium/issues/detail?id=9860 Source: MITRE Type: CNA CVE-2009-1413 Source: CCN Type: Google Chrome Web site Google Chrome Source: CCN Type: OSVDB ID: 56431 Google Chrome Page Transition Timeout Cancellation Weakness Source: XF Type: UNKNOWN googlechrome-settimeout-xss(50447) Source: XF Type: UNKNOWN googlechrome-settimeout-xss(50447) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||