CVE-2018-1000815
Summary
| CVE | CVE-2018-1000815 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-12-20 15:29:00 UTC |
| Updated | 2019-02-06 14:36:00 UTC |
| Description | Brave Software Inc. Brave version version 0.22.810 to 0.24.0 contains a Other/Unknown vulnerability in function ContentSettingsObserver::AllowScript() in content_settings_observer.cc that can result in Websites can run inline JavaScript even if script is blocked, making attackers easier to track users. This attack appear to be exploitable via the victim must visit a specially crafted website. This vulnerability appears to have been fixed in 0.25.2. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Issue: 15232 AllowScript should use atom::ContentSettingsManager like other Allow* methods in the observer by jumde · Pull Request #651 · brave/muon · GitHub | MISC | github.com | Patch |
| Issue: 15232 AllowScript should use atom::ContentSettingsManager like… · brave/muon@c18663a · GitHub | MISC | github.com | Patch |
| [hackerone] 414609 noscript issue · Issue #15232 · brave/browser-laptop · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.