CVE-2016-5204
Publication date 6 December 2016
Last updated 25 August 2025
Ubuntu priority
Description
Leaking of an SVG shadow tree leading to corruption of the DOM tree in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| chromium-browser | ||
| 16.04 LTS xenial |
Fixed 55.0.2883.87-0ubuntu0.16.04.1263
|
|
| 14.04 LTS trusty |
Fixed 58.0.3029.81-0ubuntu0.14.04.1172
|
|
| oxide-qt | ||
| 16.04 LTS xenial |
Fixed 1.19.4-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1.19.4-0ubuntu0.14.04.1
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.1 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3153-1
- Oxide vulnerabilities
- 9 December 2016