Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-5236

It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.

Published

2022-07-07T16:15:08.807

Last Modified

2024-11-21T02:32:37.250

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-345
Type: Primary
CWE-345

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	icedtea-web_project	icedtea-web	-	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=1256403 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1256403 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)