CVE-2020-15973
First published: Tue Nov 03 2020(Updated: )
Insufficient policy enforcement in extensions in Google Chrome prior to 86.0.4240.75 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension.
Credit: chrome-cve-admin@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Chrome | <86.0.4240.75 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE Backports SLE | =15.0-sp2 | |
| Debian Debian Linux | =10.0 | |
| debian/chromium | 90.0.4430.212-1~deb10u1 116.0.5845.180-1~deb11u1 120.0.6099.129-1~deb11u1 119.0.6045.199-1~deb12u1 120.0.6099.129-1~deb12u1 120.0.6099.129-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html
- https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
- https://crbug.com/1106890
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/24QFL4C3AZKMFVL7LVSYMU2DNE5VVUGS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GWCWNHTTYOH6HSFUXPGPBB6J6JYZHZE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M/
- https://www.debian.org/security/2021/dsa-4824
- https://security-tracker.debian.org/tracker/CVE-2020-15973
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-15973.
What is the title of the vulnerability?
The title of the vulnerability is 'Insufficient policy enforcement in extensions in Google Chrome prior to 86.0.4240.75 allowed an attacker to bypass same origin policy via a crafted Chrome Extension'.
What is the severity of CVE-2020-15973?
The severity of CVE-2020-15973 is medium with a severity score of 6.5.
Which software versions are affected by this vulnerability?
Google Chrome versions prior to 86.0.4240.75, Fedora 31, Fedora 32, Fedora 33, openSUSE Backports SLE 15.0-sp2, Debian Debian Linux 10.0, and Chromium versions 90.0.4430.212-1~deb10u1, 116.0.5845.180-1~deb11u1, 118.0.5993.117-1~deb11u1, 116.0.5845.180-1~deb12u1, 118.0.5993.117-1~deb12u1, 118.0.5993.117-1, and 119.0.6045.105-1 are affected.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by convincing a user to install a malicious extension, which allows them to bypass the same origin policy via a crafted Chrome Extension.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/security-tracker-debian
- vendor/google
- canonical/google chrome
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/debian