Google Chrome vulnerabilities

CVE-2019-5774 [HIGH] CWE-862 CVE-2019-5774: Omission of the .desktop filetype from the Safe Browsing checklist in SafeBrowsing in Google Chrome Omission of the .desktop filetype from the Safe Browsing checklist in SafeBrowsing in Google Chrome on Linux prior to 72.0.3626.81 allowed an attacker who convinced a user to download a .desktop file to execute arbitrary code via a downloaded .desktop file.

CVE-2019-5769 [HIGH] CWE-20 CVE-2019-5769: Incorrect handling of invalid end character position when front rendering in Blink in Google Chrome Incorrect handling of invalid end character position when front rendering in Blink in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5767 [MEDIUM] CWE-1021 CVE-2019-5767: Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.8 Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK.

CVE-2019-5776 [MEDIUM] CVE-2019-5776: Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allow Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-5777 [MEDIUM] CVE-2019-5777: Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allow Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-5766 [MEDIUM] CVE-2019-5766: Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed Incorrect handling of origin taint checking in Canvas in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2019-5754 [MEDIUM] CWE-327 CVE-2019-5754: Implementation error in QUIC Networking in Google Chrome prior to 72.0.3626.81 allowed an attacker r Implementation error in QUIC Networking in Google Chrome prior to 72.0.3626.81 allowed an attacker running or able to cause use of a proxy server to obtain cleartext of transport encryption via malicious network proxy.

CVE-2019-5775 [MEDIUM] CVE-2019-5775: Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allow Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-5773 [MEDIUM] CWE-346 CVE-2019-5773: Insufficient origin validation in IndexedDB in Google Chrome prior to 72.0.3626.81 allowed a remote Insufficient origin validation in IndexedDB in Google Chrome prior to 72.0.3626.81 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page.

CVE-2019-5778 [MEDIUM] CWE-79 CVE-2019-5778: A missing case for handling special schemes in permission request checks in Extensions in Google Chr A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension.

CVE-2019-5779 [MEDIUM] CWE-862 CVE-2019-5779: Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a rem Insufficient policy validation in ServiceWorker in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2019-5768 [MEDIUM] CWE-269 CVE-2019-5768: DevTools API not correctly gating on extension capability in DevTools in Google Chrome prior to 72.0 DevTools API not correctly gating on extension capability in DevTools in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to read local files via a crafted Chrome Extension.

CVE-2019-5781 [MEDIUM] CVE-2019-5781: Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allow Incorrect handling of a confusable character in Omnibox in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.

CVE-2019-5765 [MEDIUM] CWE-312 CVE-2019-5765: An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allow An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.

CVE-2018-16068 [CRITICAL] CWE-20 CVE-2018-16068: Missing validation in Mojo in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to poten Missing validation in Mojo in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

CVE-2018-6127 [CRITICAL] CWE-416 CVE-2018-6127: Early free of object in use in IndexDB in Google Chrome prior to 67.0.3396.62 allowed a remote attac Early free of object in use in IndexDB in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2017-15402 [CRITICAL] CWE-20 CVE-2017-15402: Using an ID that can be controlled by a compromised renderer which allows any frame to overwrite the Using an ID that can be controlled by a compromised renderer which allows any frame to overwrite the page_state of any other frame in the same process in Navigation in Google Chrome on Chrome OS prior to 62.0.3202.74 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2018-6084 [HIGH] CWE-20 CVE-2018-6084: Insufficiently sanitized distributed objects in Updater in Google Chrome on macOS prior to 66.0.3359 Insufficiently sanitized distributed objects in Updater in Google Chrome on macOS prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via an executable file.

CVE-2018-6144 [HIGH] CWE-787 CVE-2018-6144: Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perfo Off-by-one error in PDFium in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file.

CVE-2017-15404 [HIGH] CWE-367 CVE-2017-15404: An ability to process crash dumps under root privileges and inappropriate symlinks handling could le An ability to process crash dumps under root privileges and inappropriate symlinks handling could lead to a local privilege escalation in Crash Reporting in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to perform privilege escalation via a crafted HTML page.