CVE-2023-2460Improper Input Validation in Google Chrome

CWE-20Improper Input Validation6 documents6 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 91.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Google ChromeChromiumDebian Chromium+4 more
Timeline
PublishedMay 3
Latest updateMay 9

Description

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 113.0.5672.63 allowed an attacker who convinced a user to install a malicious extension to bypass file access checks via a crafted HTML page. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages6 packages

CVEListV5google/chrome113.0.5672.63113.0.5672.63
NVDgoogle/chrome< 113.0.5672.63
debiandebian/chromium< chromium 113.0.5672.63-1 (bookworm)
Debianchromium/chromium< 113.0.5672.63-1~deb11u1+3

Also affects: Debian Linux 11.0, Fedora 36, 37, 38

🔴Vulnerability Details

2
OSV
CVE-2023-2460: Insufficient validation of untrusted input in Extensions in Google Chrome prior to 1132023-05-03
GHSA
GHSA-hvcr-qmgp-4wp3: Insufficient validation of untrusted input in Extensions in Google Chrome prior to 1132023-05-03

📋Vendor Advisories

3
Microsoft
Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions2023-05-09
Chrome
Stable Channel Update for Desktop: CVE-2023-24592023-05-02
Debian
CVE-2023-2460: chromium - Insufficient validation of untrusted input in Extensions in Google Chrome prior ...2023