Bug 1086112 (CVE-2014-1716) - CVE-2014-1716 v8: cross-site scripting flaw in Runtime_SetPrototype()
Summary: CVE-2014-1716 v8: cross-site scripting flaw in Runtime_SetPrototype()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-1716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1086126
TreeView+ depends on / blocked
 
Reported: 2014-04-10 07:05 UTC by Murray McAllister
Modified: 2020-11-05 10:33 UTC (History)
51 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-06-16 10:35:12 UTC
Embargoed:

Attachments (Terms of Use)

Description Murray McAllister 2014-04-10 07:05:10 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1716 to
the following vulnerability:

Name: CVE-2014-1716
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1716
Assigned: 20140129
Reference: http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html
Reference: https://code.google.com/p/chromium/issues/detail?id=354123
Reference: https://code.google.com/p/v8/source/detail?r=20138

Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype
function in runtime.cc in Google V8, as used in Google Chrome before
34.0.1847.116, allows remote attackers to inject arbitrary web script
or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

From a brief, initial investigation, the function is not in the versions of v8 as shipped in Red Hat products.
Comment 1 Tomas Hoger 2014-06-16 10:35:12 UTC 
This fix is not applicable to v8 3.14.
Note You need to log in before you can comment on or make changes to this bug.