CVE-2022-1501 An iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data.

CVE-2022-1501 An iframe in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to leak cross-origin data.

This issue was addressed by ensuring that iframes are only loaded from the same origin as the page itself. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page. This issue was addressed by restricting iframe injection to the same origin as the parent page. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page. This issue was addressed by restricting iframe injection to the same origin as the parent page. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross

Summary

This issue was addressed by ensuring that iframes are only loaded from the same origin as the page itself. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page

Google Chrome span style="color: #008060;"

Google Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page and then inject the parent's window event handler on their own domain to execute arbitrary JavaScript code on their behalf in the context of the parent domain's origin and without any user interaction whatsoever from within that domain or any other domain on the internet from which they can access that page through an iframe.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe