Chrome
by Google
Source repositories
CVEs (5,374)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17459 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | Incorrect handling of clicks in the omnibox in Navigation in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | ||
| CVE-2018-16088 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | A missing check for JS-simulated input events in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to download arbitrary files with no user input via a crafted HTML page. | ||
| CVE-2018-16082 | Med | 0.42 | 6.5 | 0.02 | Jan 9, 2019 | An out of bounds read in Swiftshader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | ||
| CVE-2018-16080 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | A missing check for popup window handling in Fullscreen in Google Chrome on macOS prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | ||
| CVE-2018-16078 | Med | 0.42 | 6.5 | 0.02 | Jan 9, 2019 | Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | ||
| CVE-2018-16072 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | ||
| CVE-2018-16067 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | A use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2018-16066 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | A use after free in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2018-18353 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Failure to dismiss http auth dialogs on navigation in Network Authentication in Google Chrome on Android prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of an auto dialog via a crafted HTML page. | ||
| CVE-2018-18352 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Service works could inappropriately gain access to cross origin audio in Media in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass same origin policy for audio content via a crafted HTML page. | ||
| CVE-2018-18351 | Med | 0.42 | 6.5 | 0.03 | Dec 11, 2018 | Lack of proper validation of ancestor frames site when sending lax cookies in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass SameSite cookie policy via a crafted HTML page. | ||
| CVE-2018-18350 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Incorrect handling of CSP enforcement during navigations in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass content security policy via a crafted HTML page. | ||
| CVE-2018-18349 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Remote frame navigations was incorrectly permitted to local resources in Blink in Google Chrome prior to 71.0.3578.80 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. | ||
| CVE-2018-18346 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Incorrect handling of alert box display in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to present confusing browser UI via a crafted HTML page. | ||
| CVE-2018-18345 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Incorrect handling of blob URLS in Site Isolation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker who had compromised the renderer process to bypass site isolation protections via a crafted HTML page. | ||
| CVE-2018-18344 | Med | 0.42 | 6.5 | 0.01 | Dec 11, 2018 | Inappropriate allowance of the setDownloadBehavior devtools protocol feature in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker with control of an installed extension to access files on the local file system via a crafted Chrome Extension. | ||
| CVE-2018-6116 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | ||
| CVE-2018-6115 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page. | ||
| CVE-2018-6108 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page. | ||
| CVE-2018-6107 | Med | 0.42 | 6.5 | 0.01 | Dec 4, 2018 | Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of clicks in the omnibox in Navigation in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
A missing check for JS-simulated input events in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to download arbitrary files with no user input via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.02
An out of bounds read in Swiftshader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
A missing check for popup window handling in Fullscreen in Google Chrome on macOS prior to 69.0.3497.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.02
Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
A use after free in WebAudio in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
A use after free in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Failure to dismiss http auth dialogs on navigation in Network Authentication in Google Chrome on Android prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of an auto dialog via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Service works could inappropriately gain access to cross origin audio in Media in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass same origin policy for audio content via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.03
Lack of proper validation of ancestor frames site when sending lax cookies in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass SameSite cookie policy via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of CSP enforcement during navigations in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass content security policy via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Remote frame navigations was incorrectly permitted to local resources in Blink in Google Chrome prior to 71.0.3578.80 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension.
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of alert box display in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to present confusing browser UI via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of blob URLS in Site Isolation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker who had compromised the renderer process to bypass site isolation protections via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Inappropriate allowance of the setDownloadBehavior devtools protocol feature in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker with control of an installed extension to access files on the local file system via a crafted Chrome Extension.
- risk 0.42cvss 6.5epss 0.01
A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page.
- risk 0.42cvss 6.5epss 0.01
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
Page 140 of 269