CVE-2016-1640

Description

The Web Store inline-installer implementation in the Extensions UI in Google Chrome before 49.0.2623.75 does not block installations upon deletion of an installation frame, which makes it easier for remote attackers to trick a user into believing that an installation request originated from the user's next navigation target via a crafted web site.

References

Link	Tags
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00014.html	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00018.html	vendor advisory
http://www.securityfocus.com/bid/84008	vdb entry
http://www.debian.org/security/2016/dsa-3507	vendor advisory
http://www.securitytracker.com/id/1035185	vdb entry
https://codereview.chromium.org/1496033003
https://codereview.chromium.org/1554233005
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00028.html	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00015.html	vendor advisory
https://security.gentoo.org/glsa/201603-09	vendor advisory
https://code.google.com/p/chromium/issues/detail?id=550047
http://googlechromereleases.blogspot.com/2016/03/stable-channel-update.html

Frequently Asked Questions

What is the severity of CVE-2016-1640?: CVE-2016-1640 has been scored as a medium severity vulnerability.
How to fix CVE-2016-1640?: To fix CVE-2016-1640, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-1640 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2016-1640 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-17 – DEPRECATED: Code

References

Frequently Asked Questions