WebKit before r53525, as used in Google Chrome before 4.0.249.89, allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed RUBY element, as demonstrated by a > sequence.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 9.3
Exploit Score: 8.6
Impact Score: 10.0
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: COMPLETE
Integrity: COMPLETE
Availability: COMPLETE

Reference:

SECTRACK-1023583

BID-38177

SECUNIA-38545

SECUNIA-41856

SECUNIA-43068

OSVDB-62317

ADV-2010-0361

ADV-2010-2722

ADV-2011-0212

ADV-2011-0552

MDVSA-2011:039

SUSE-SR:2011:002

USN-1006-1

googlechrome-ruby-tags-code-exec(56214)

http://code.google.com/p/chromium/issues/detail?id=31692

http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html

http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs

http://trac.webkit.org/changeset/53525

https://bugs.webkit.org/show_bug.cgi?id=33266

oval:org.mitre.oval:def:14094