CVE-2015-1296
Published: 3 September 2015
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox, which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL, as demonstrated by the omnibox in localizations for right-to-left languages.
Notes
Author | Note |
---|---|
chrisccoulson | URL displayed to the user in Oxide embedders is decoded by Qt |
Priority
Status
Package | Release | Status |
---|---|---|
chromium-browser Launchpad, Ubuntu, Debian |
precise |
Ignored
|
trusty |
Released
(45.0.2454.85-0ubuntu0.14.04.1.1097)
|
|
upstream |
Released
(45.0.2454.85)
|
|
vivid |
Released
(45.0.2454.85-0ubuntu0.15.04.1.1181)
|
|
wily |
Released
(45.0.2454.85-0ubuntu1.1198)
|
|
oxide-qt Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
trusty |
Does not exist
(trusty was not-affected)
|
|
upstream |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|