FKIE_CVE-2009-0276

Vulnerability from fkie_nvd - Published: 2009-02-03 19:30 - Updated: 2025-04-09 00:30
Severity ?
Summary
Cross-domain vulnerability in the V8 JavaScript engine in Google Chrome before 1.0.154.46 allows remote attackers to bypass the Same Origin Policy via a crafted script that accesses another frame and reads its full URL and possibly other sensitive information, or modifies the URL of this frame.
References
cve@mitre.orghttp://codereview.chromium.org/18531
cve@mitre.orghttp://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.htmlVendor Advisory
cve@mitre.orghttp://secunia.com/advisories/33754Vendor Advisory
cve@mitre.orghttp://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes
cve@mitre.orghttp://src.chromium.org/viewvc/chrome?view=rev&revision=8524
af854a3a-2127-422b-91ae-364da2661108http://codereview.chromium.org/18531
af854a3a-2127-422b-91ae-364da2661108http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/33754Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes
af854a3a-2127-422b-91ae-364da2661108http://src.chromium.org/viewvc/chrome?view=rev&revision=8524
Impacted products
Vendor Product Version
google chrome *
google chrome 0.2.152.1
google chrome 0.2.153.1
google chrome 0.3.154.0
google chrome 0.3.154.3
google chrome 0.4.154.18
google chrome 0.4.154.22
google chrome 0.4.154.31
google chrome 0.4.154.33
google chrome 1.0.154.36
google chrome 1.0.154.39
google chrome 1.0.154.42
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3D8C988-6C80-4627-BE11-72304CDE0AC0",
              "versionEndIncluding": "1.0.154.43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.2.152.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD4A2AB1-6F90-4D0B-A673-C6310514CE63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.2.153.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "66A4FEB5-11D8-4FFC-972D-A3B991176040",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.3.154.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6313614-FC3C-488C-B80B-191797319A56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.3.154.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CDF3DAB-73C4-48E8-9B0B-DADABF217555",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.4.154.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B2FAE50-4CA3-46F6-B533-C599011A9ED5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.4.154.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0D94F22-37B6-4938-966A-E1830D83FBC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.4.154.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8B7164E-7A4F-4959-9E6D-EF614EDD4C3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:0.4.154.33:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C0F9D75-B10D-468F-84D8-61B6A1230556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:1.0.154.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D2CAE29-3F1E-4374-B82C-B60B7BB4AEAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:1.0.154.39:*:*:*:*:*:*:*",
              "matchCriteriaId": "173D539E-045E-4429-80C9-5749BECC6CD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:google:chrome:1.0.154.42:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2052352-FECC-4990-B0F4-A715694AD816",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-domain vulnerability in the V8 JavaScript engine in Google Chrome before 1.0.154.46 allows remote attackers to bypass the Same Origin Policy via a crafted script that accesses another frame and reads its full URL and possibly other sensitive information, or modifies the URL of this frame."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de dominio cruzado en la V8 del motor JavaScript en Google Chrome anterior a 1.0.154.46, permite a atacantes remotos evitar la Pol\u00edtica del Mismo Origen (Same Origin Policy) a trav\u00e9s de una secuencia de comandos que accede a otro marco (frame) y lee su URL completa y probablemente otra informaci\u00f3n sensible, o modifica la URL de ese marco (frame)."
    }
  ],
  "id": "CVE-2009-0276",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2009-02-03T19:30:00.343",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://codereview.chromium.org/18531"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/33754"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://src.chromium.org/viewvc/chrome?view=rev\u0026revision=8524"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://codereview.chromium.org/18531"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://googlechromereleases.blogspot.com/2009/01/stable-beta-update-yahoo-mail-and.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/33754"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://sites.google.com/a/chromium.org/dev/getting-involved/dev-channel/release-notes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://src.chromium.org/viewvc/chrome?view=rev\u0026revision=8524"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.