PT-2022-7832 · Unknown+1 · Icedtea-Web+1

Tomas Hoger

Published

2022-07-07

Updated

2022-07-15

CVE-2015-5236

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions IcedTea-Web (affected versions not specified)

Description The issue allows a malicious site to bypass the Same Origin Policy (SOP) checks via a spoofed codebase value. This is possible because the IcedTea-Web uses the codebase attribute of the tag on the HTML page that hosts Java applet in the SOP checks, and the specified codebase does not have to match the applet's actual origin.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

CVE-2015-5236

Affected Products

Debian

Icedtea-Web

PT-2022-7832 · Unknown+1 · Icedtea-Web+1

CVE-2015-5236

Weakness Enumeration

Related Identifiers

Affected Products

References · 9