Multiple vulnerabilities in Yandex Browser

Published: 2016-10-26 | Updated: 2020-08-09

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2016-8506 CVE-2016-8502
CWE-ID	CWE-79 CWE-254
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Yandex Browser Client/Desktop applications / Other client software
Vendor	Yandex N. V.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU40069

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8506

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Yandex Browser: 15.2.2214.3645 - 16.2.0.3539

External links

http://www.securityfocus.com/bid/93927
http://browser.yandex.com/security/changelogs/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security Features

EUVDB-ID: #VU40071

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8502

CWE-ID: CWE-254 - Security Features