Comodo Dragon Vulnerability

Info:

CVE-2025-8206

CVE-2025-8205

CVE-2025-8204

Comodo Dragon 64-bit version

Download link: https://www.comodo.com/home/browsers-toolbars/browser.php

1. HSTS Problem

   (Related to something like CWE-358: Improperly Implemented Security Check for Standard)

By default, normal browsers like Chromium do not allow users to connect to websites with invalid certificates if HSTS is enabled. However, Comodo Dragon has HSTS disabled. This allows users to click on "Proceed to website," which can lead them to a spoofed site.

Steps to reproduce:

• The attacker must have a web server with HTTPS enabled (an invalid certificate is acceptable).

• Modify the hosts file:
  <IP_of_fake_server> google.com
  (To fully demonstrate the attack vector, the attacker can set up a machine inside the LAN to perform DNS spoofing.)

- Connect to https://google.com in Comodo Dragon, it shows a “Proceed to google.com” option.

- User clicks on proceed to, connect success

Meanwhile, a normal browser is gonna to deny connection in first place

2. Insecure connection problem
Comodo Dragon includes a built-in extension called “IP / DNS Leakage Detector”, which uses an HTTP connection. An attacker can perform a DNS spoofing attack to exploit this.
(To reproduce: modifying the hosts file on the victim's machine works as well.)

3. HTML Injection (must chain with the 2nd).

Response values such as country name, etc., are inserted using the innerHTML property without any validation or sanitization.
An attacker can combine this with the DNS spoofing (mentioned above) and send a malicious HTTP response that executes JavaScript or injects a phishing form.

On the spoofed server, the attacker can craft a fake response like this:

file test.html can has javascript code

test with modified host file, js alert prompted

Contact: Phong Xuan | LinkedIn