Information disclosure in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-1202 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU31843
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-1202
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 10.0.648.0 - 10.0.648.126
CPE2.3- cpe:2.3:a:google:google_chrome:10.0.648.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:10.0.648.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:10.0.648.2:*:*:*:*:*:*:*
https://code.google.com/p/chromium/issues/detail?id=73716
https://downloads.avaya.com/css/P8/documents/100144158
https://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
https://googlechromereleases.blogspot.com/2011/03/chrome-stable-release.html
https://scarybeastsecurity.blogspot.com/2011/03/multi-browser-heap-address-leak-in-xslt.html
https://www.mandriva.com/security/advisories?name=MDVSA-2011:079
https://www.mandriva.com/security/advisories?name=MDVSA-2012:164
https://www.securityfocus.com/bid/46785
https://www.vupen.com/english/advisories/2011/0628
https://bugzilla.redhat.com/show_bug.cgi?id=684386
https://exchange.xforce.ibmcloud.com/vulnerabilities/65966
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14244
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
