基于chrome内核的UXSS

时间:2023-03-08 19:33:06
url with a leading NULL byte can bypass cross origin protection.

https://code.google.com/p/chromium/issues/detail?id=37383

Universal XSS in frame elements handling

https://code.google.com/p/chromium/issues/detail?id=143439

Pwnium UXSS variation

https://code.google.com/p/chromium/issues/detail?id=117550            

UXSS with document.baseURI

https://code.google.com/p/chromium/issues/detail?id=90222

Universal XSS using widget updates in ContainerNode::parserRemoveChild

https://bugs.chromium.org/p/chromium/issues/detail?id=560011

Security: Universal XSS using Flash message loop

https://bugs.chromium.org/p/chromium/issues/detail?id=569496

Cross-origin access using window.execScript + code execution

https://bugs.chromium.org/p/chromium/issues/detail?id=83096    

Universal XSS using contentWindow.eval

https://bugs.chromium.org/p/chromium/issues/detail?id=83743

UXSS with empty SecurityOrigin

https://bugs.chromium.org/p/chromium/issues/detail?id=89453    

UXSS / frame escape with window.open

https://bugs.chromium.org/p/chromium/issues/detail?id=89520    

UXSS with document.baseURI

https://bugs.chromium.org/p/chromium/issues/detail?id=90222

Arbitrary cross-origin bypass using __defineGetter__ prototype override

https://bugs.chromium.org/p/chromium/issues/detail?id=93416

UXSS using Object.getPrototypeOf

https://bugs.chromium.org/p/chromium/issues/detail?id=93759

Cross-origin access to window.__proto__

https://bugs.chromium.org/p/chromium/issues/detail?id=95671

UXSS and use-after-free when DOMWindow is accessed after navigation

https://bugs.chromium.org/p/chromium/issues/detail?id=96047

UXSS via Object::GetRealNamedPropertyInPrototypeChain

https://bugs.chromium.org/p/chromium/issues/detail?id=96885

UXSS via HTMLObjectElement

https://bugs.chromium.org/p/chromium/issues/detail?id=98053

UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document

https://bugs.chromium.org/p/chromium/issues/detail?id=99512

UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads

https://bugs.chromium.org/p/chromium/issues/detail?id=99750

Location bar spoofing when using replaceState in unload event handler

https://bugs.chromium.org/p/chromium/issues/detail?id=101235

Pwnium UXSS variation

https://bugs.chromium.org/p/chromium/issues/detail?id=117550

v8 builtins object exposed to user causing UXSS

https://bugs.chromium.org/p/chromium/issues/detail?id=143437

Universal XSS in frame elements handling

https://bugs.chromium.org/p/chromium/issues/detail?id=143439

相关文章