Vulnerability Details : CVE-2014-1723
The UnescapeURLWithOffsetsImpl function in net/base/escape.cc in Google Chrome before 34.0.1847.116 does not properly handle bidirectional Internationalized Resource Identifiers (IRIs), which makes it easier for remote attackers to spoof URLs via crafted use of right-to-left (RTL) Unicode text.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2014-1723
Probability of exploitation activity in the next 30 days: 1.12%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-1723
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-1723
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1723
-
http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html
Chrome Releases: Stable Channel UpdateVendor Advisory
-
http://security.gentoo.org/glsa/glsa-201408-16.xml
Chromium: Multiple vulnerabilities (GLSA 201408-16) — Gentoo security
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00012.html
openSUSE-SU-2014:0601-1: moderate: update for chromium
-
https://src.chromium.org/viewvc/chrome?revision=254091&view=revision
[chrome] Revision 254091
-
http://www.debian.org/security/2014/dsa-2905
Debian -- Security Information -- DSA-2905-1 chromium-browser
-
https://code.google.com/p/chromium/issues/detail?id=337746
337746 - Security: unicode character can create phishing-friendly address bar - chromium - Monorail
Products affected by CVE-2014-1723
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*