Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2016-8506 CVE-2016-8502 |
CWE-ID | CWE-79 CWE-254 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Yandex Browser Client/Desktop applications / Other client software |
Vendor | Yandex N. V. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU40069
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8506
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.
MitigationInstall update from vendor's website.
Vulnerable software versionsYandex Browser: 15.2.2214.3645 - 16.2.0.3539
External linkshttp://www.securityfocus.com/bid/93927
http://browser.yandex.com/security/changelogs/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU40071
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8502
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.
MitigationInstall update from vendor's website.
Vulnerable software versionsYandex Browser: 15.12.0.6151 - 16.2.0.3539
External linkshttp://www.securityfocus.com/bid/93923
http://browser.yandex.com/security/changelogs/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.