Vulnerability Details : CVE-2017-5090
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 59.0.3071.115 for Mac allowed a remote attacker to perform domain spoofing via a crafted domain name containing a U+0620 character, aka Apple rdar problem 32458012.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2017-5090
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-5090
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2017-5090
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5090
-
http://www.securityfocus.com/bid/101591
Google Chrome CVE-2017-5090 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://crbug.com/725660
725660 - [IDN Phishing] Use the "xn--fgb" character to hide the real URL: Block U+0620 on Mac only. - chromium - MonorailIssue Tracking;Third Party Advisory
Products affected by CVE-2017-5090
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*