Vulnerability CVE-2013-6656 - CERT Civis.Net

Vulnerability Name:

CVE-2013-6656 (CCN-91233)

Assigned:

2013-11-05

Published:

2014-02-20

Updated:

2014-04-01

Summary:

The XSSAuditor::init function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, processes POST requests by using the body of a redirecting page instead of the body of a redirect target, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2013-6656

Source: CCN
Type: Google Chrome Releases Web site
Stable Channel Update

Source: CONFIRM
Type: Vendor Advisory
http://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:0327

Source: CCN
Type: SA57028
Google Chrome Multiple Vulnerabilities

Source: DEBIAN
Type: UNKNOWN
DSA-2883

Source: CONFIRM
Type: UNKNOWN
https://code.google.com/p/chromium/issues/detail?id=331725

Source: XF
Type: UNKNOWN
google-chrome-cve20136656-info-disc(91233)

Source: CONFIRM
Type: Patch
https://src.chromium.org/viewvc/blink?revision=164749&view=revision

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-6656

Vulnerable Configuration:

Configuration 1:

cpe:/a:google:chrome:33.0.1750.0:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.1:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.2:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.3:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.4:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.5:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.6:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.7:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.8:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.9:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.10:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.11:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.12:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.13:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.14:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.15:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.16:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.18:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.19:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.20:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.21:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.22:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.23:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.24:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.25:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.26:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.27:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.28:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.29:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.30:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.31:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.34:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.35:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.36:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.37:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.38:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.39:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.40:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.41:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.42:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.43:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.44:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.45:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.46:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.47:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.48:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.49:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.50:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.51:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.52:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.53:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.54:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.55:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.56:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.57:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.58:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.59:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.60:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.61:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.62:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.63:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.64:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.65:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.66:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.67:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.68:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.69:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.70:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.71:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.73:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.74:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.75:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.76:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.77:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.79:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.80:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.81:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.82:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.83:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.85:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.88:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.89:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.90:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.91:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.92:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.93:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.104:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.106:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.107:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.108:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.109:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.110:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.111:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.112:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.113:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:33.0.1750.115:*:*:*:*:*:*:*

OR cpe:/a:google:chrome:*:*:*:*:*:*:*:* (Version <= 33.0.1750.116)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20136656	V	CVE-2013-6656	2022-06-30
oval:org.opensuse.security:def:112065	P	chromedriver-55.0.2883.75-3.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105614	P	chromedriver-55.0.2883.75-3.1 on GA media (Moderate)	2021-10-01
oval:org.mitre.oval:def:24361	P	DSA-2883-1 chromium-browser - security update	2014-06-23
oval:org.mitre.oval:def:22438	V	The XSSAuditor::init function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, processes POST requests by using the body of a redirecting page instead of the body of a redirect target, which allows remote attackers to obtain sensitive information via unspecified vectors.	2014-04-14
oval:com.ubuntu.precise:def:20136656000	V	CVE-2013-6656 on Ubuntu 12.04 LTS (precise) - medium.	2014-02-23