CVE-2017-5018
Publication date 17 February 2017
Last updated 25 August 2025
Ubuntu priority
Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| chromium-browser | ||
| 16.04 LTS xenial |
Fixed 56.0.2924.76-0ubuntu0.16.04.1268
|
|
| 14.04 LTS trusty |
Fixed 58.0.3029.81-0ubuntu0.14.04.1172
|
|
| oxide-qt | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |