CVE-2015-5236

Published: Jul 7, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.

Affected (1)

Products: Icedtea Web Project: Icedtea Web

Icedtea Web Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Icedtea Web Project Icedtea Web	All versions

Related CWEs

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=1256403

Source: secalert@redhat.com

ExploitIssue TrackingThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1256403

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.