Google Chrome vulnerabilities

CVE-2018-6139 [HIGH] CWE-20 CVE-2018-6139: Insufficient target checks on the chrome.debugger API in DevTools in Google Chrome prior to 67.0.339 Insufficient target checks on the chrome.debugger API in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

CVE-2016-10403 [HIGH] CWE-125 CVE-2016-10403: Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed Insufficient data validation on image data in PDFium in Google Chrome prior to 51.0.2704.63 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.

CVE-2018-16065 [HIGH] CWE-416 CVE-2018-16065: A Javascript reentrancy issues that caused a use-after-free in V8 in Google Chrome prior to 69.0.349 A Javascript reentrancy issues that caused a use-after-free in V8 in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2018-16083 [HIGH] CWE-125 CVE-2018-16083: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497 An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

CVE-2018-17458 [HIGH] CWE-129 CVE-2018-17458: An improper update of the WebAssembly dispatch table in WebAssembly in Google Chrome prior to 69.0.3 An improper update of the WebAssembly dispatch table in WebAssembly in Google Chrome prior to 69.0.3497.92 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2018-16081 [HIGH] CWE-862 CVE-2018-16081: Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3 Allowing the chrome.debugger API to run on file:// URLs in DevTools in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system without file access permission via a crafted Chrome Extension.

CVE-2018-6140 [HIGH] CWE-20 CVE-2018-6140: Allowing the chrome.debugger API to attach to Web UI pages in DevTools in Google Chrome prior to 67. Allowing the chrome.debugger API to attach to Web UI pages in DevTools in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.

CVE-2018-6124 [HIGH] CWE-704 CVE-2018-6124: Type confusion in ReadableStreams in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote a Type confusion in ReadableStreams in Blink in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.

CVE-2018-16071 [HIGH] CWE-416 CVE-2018-16071: A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to poten A use after free in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to potentially exploit heap corruption via a crafted video file.

CVE-2017-15405 [HIGH] CWE-362 CVE-2017-15405: Inappropriate symlink handling and a race condition in the stateful recovery feature implementation Inappropriate symlink handling and a race condition in the stateful recovery feature implementation could lead to a persistance established by a malicious code running with root privileges in cryptohomed in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.

CVE-2017-15403 [HIGH] CWE-77 CVE-2017-15403: Insufficient data validation in crosh could lead to a command injection under chronos privileges in Insufficient data validation in crosh could lead to a command injection under chronos privileges in Networking in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.

CVE-2018-6126 [HIGH] CWE-787 CVE-2018-6126: A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perfor A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

CVE-2018-6141 [HIGH] CWE-125 CVE-2018-6141: Insufficient validation of an image filter in Skia in Google Chrome prior to 67.0.3396.62 allowed a Insufficient validation of an image filter in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page.

CVE-2018-20071 [MEDIUM] CWE-79 CVE-2018-20071: Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome Insufficiently strict origin checks during JIT payment app installation in Payments in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to install a service worker for a domain that can host attacker controled files via a crafted HTML page.

CVE-2018-6097 [MEDIUM] CWE-19 CVE-2018-6097: Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.335 Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to enter full screen without showing a warning via a crafted HTML page.

CVE-2018-6110 [MEDIUM] CWE-20 CVE-2018-6110: Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote atta Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page.

CVE-2018-20067 [MEDIUM] CVE-2018-20067: A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Na A renderer initiated back navigation was incorrectly allowed to cancel a browser initiated one in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to confuse the user about the origin of the current page via a crafted HTML page.

CVE-2018-16078 [MEDIUM] CWE-200 CVE-2018-16078: Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a Unsafe handling of credit card details in Autofill in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2018-6147 [MEDIUM] CWE-200 CVE-2018-6147: Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a Lack of secure text entry mode in Browser UI in Google Chrome on Mac prior to 67.0.3396.62 allowed a local attacker to obtain potentially sensitive information from process memory via a local process.

CVE-2018-6112 [MEDIUM] CWE-706 CVE-2018-6112: Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359 Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.