CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Google : Security Vulnerabilities (Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-7905 284 Bypass 2014-11-19 2014-11-19
5.0
None Remote Low Not required None Partial None
Google Chrome before 39.0.2171.65 on Android does not prevent navigation to a URL in cases where an intent for the URL lacks CATEGORY_BROWSABLE, which allows remote attackers to bypass intended access restrictions via a crafted web site.
2 CVE-2014-6041 264 Bypass 2014-09-02 2014-09-19
5.8
None Remote Medium Not required Partial Partial None
The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.
3 CVE-2014-3196 264 Bypass 2014-10-08 2014-10-08
7.5
None Remote Low Not required Partial Partial Partial
base/memory/shared_memory_win.cc in Google Chrome before 38.0.2125.101 on Windows does not properly implement read-only restrictions on shared memory, which allows attackers to bypass a sandbox protection mechanism via unspecified vectors.
4 CVE-2014-3172 264 Bypass 2014-08-26 2014-11-05
6.4
None Remote Low Not required Partial Partial None
The Debugger extension API in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 37.0.2062.94 does not validate a tab's URL before an attach operation, which allows remote attackers to bypass intended access limitations via an extension that uses a restricted URL, as demonstrated by a chrome:// URL.
5 CVE-2014-3161 264 Bypass 2014-07-20 2014-07-21
7.5
None Remote Low Not required Partial Partial Partial
The WebMediaPlayerAndroid::load function in content/renderer/media/android/webmediaplayer_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly interact with redirects, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that hosts a video stream.
6 CVE-2014-3160 264 Bypass 2014-07-20 2014-11-05
6.8
None Remote Medium Not required Partial Partial Partial
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
7 CVE-2014-3100 119 Exec Code Overflow Bypass +Info 2014-07-02 2014-07-02
5.1
None Remote High Not required Partial Partial Partial
Stack-based buffer overflow in the encode_key function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name.
8 CVE-2014-1909 189 Exec Code Overflow Bypass 2014-05-13 2014-05-14
7.5
None Remote Low Not required Partial Partial Partial
Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow.
9 CVE-2014-1733 20 Bypass 2014-04-26 2014-05-23
7.5
None Remote Low Not required Partial Partial Partial
The PointerCompare function in codegen.cc in Seccomp-BPF, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly merge blocks, which might allow remote attackers to bypass intended sandbox restrictions by leveraging renderer access.
10 CVE-2014-1730 264 Bypass 2014-04-26 2014-05-23
7.8
None Remote Low Not required Complete None None
Google V8, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly store internationalization metadata, which allows remote attackers to bypass intended access restrictions by leveraging "type confusion" and reading property values, related to i18n.js and runtime.cc.
11 CVE-2014-1726 Bypass 2014-04-09 2014-05-23
4.3
None Remote Medium Not required None Partial None
The drag implementation in Google Chrome before 34.0.1847.116 allows user-assisted remote attackers to bypass the Same Origin Policy and forge local pathnames by leveraging renderer access.
12 CVE-2014-1703 399 Bypass 2014-03-16 2014-05-23
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the WebSocketDispatcherHost::SendOrDrop function in content/browser/renderer_host/websocket_dispatcher_host.cc in the Web Sockets implementation in Google Chrome before 33.0.1750.149 might allow remote attackers to bypass the sandbox protection mechanism by leveraging an incorrect deletion in a certain failure case.
13 CVE-2013-6802 264 Bypass 2013-11-18 2013-12-13
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 31.0.1650.57 allows remote attackers to bypass intended sandbox restrictions by leveraging access to a renderer process, as demonstrated during a Mobile Pwn2Own competition at PacSec 2013, a different vulnerability than CVE-2013-6632.
14 CVE-2013-6666 264 Bypass 2014-03-05 2014-04-01
5.8
None Remote Medium Not required Partial Partial None
The PepperFlashRendererHost::OnNavigate function in renderer/pepper/pepper_flash_renderer_host.cc in Google Chrome before 33.0.1750.146 does not verify that all headers are Cross-Origin Resource Sharing (CORS) simple headers before proceeding with a PPB_Flash.Navigate operation, which might allow remote attackers to bypass intended CORS restrictions via an inappropriate header.
15 CVE-2013-6661 Bypass 2014-02-23 2014-04-01
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 33.0.1750.117 allow attackers to bypass the sandbox protection mechanism after obtaining renderer access, or have other impact, via unknown vectors.
16 CVE-2013-6657 264 XSS Bypass +Info 2014-02-23 2014-04-01
6.4
None Remote Low Not required Partial Partial None
core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 33.0.1750.117, inserts the about:blank URL during certain blocking of FORM elements within HTTP requests, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via unspecified vectors.
17 CVE-2013-6652 22 Dir. Trav. Bypass 2014-02-23 2014-02-24
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in sandbox/win/src/named_pipe_dispatcher.cc in Google Chrome before 33.0.1750.117 on Windows allows attackers to bypass intended named-pipe policy restrictions in the sandbox via vectors related to (1) lack of checks for .. (dot dot) sequences or (2) lack of use of the \\?\ protection mechanism.
18 CVE-2013-6271 264 Bypass 2013-12-14 2013-12-18
8.8
None Remote Medium Not required Complete Complete None
Android 4.0 through 4.3 allows attackers to bypass intended access restrictions and remove device locks via a crafted application that invokes the updateUnlockMethodAndFinish method in the com.android.settings.ChooseLockGeneric class with the PASSWORD_QUALITY_UNSPECIFIED option.
19 CVE-2013-2881 264 Bypass 2013-07-31 2013-11-02
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 28.0.1500.95 does not properly handle frames, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
20 CVE-2013-2874 264 Bypass 2013-07-10 2013-11-02
4.3
None Remote Medium Not required Partial None None
Google Chrome before 28.0.1500.71 on Windows, when an Nvidia GPU is used, allows remote attackers to bypass intended restrictions on access to screen data via vectors involving IPC transmission of GL textures.
21 CVE-2013-2859 Bypass 2013-06-04 2013-12-05
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 27.0.1453.110 allows remote attackers to bypass the Same Origin Policy and trigger namespace pollution via unspecified vectors.
22 CVE-2013-2835 264 Bypass 2013-04-16 2013-04-17
5.0
None Remote Low Not required None Partial None
Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2834.
23 CVE-2013-2834 264 Bypass 2013-04-16 2013-04-17
5.0
None Remote Low Not required None Partial None
Google Chrome OS before 26.0.1410.57 does not properly enforce origin restrictions for the O3D and Google Talk plug-ins, which allows remote attackers to bypass the domain-whitelist protection mechanism via a crafted web site, a different vulnerability than CVE-2013-2835.
24 CVE-2013-0927 59 Bypass 2013-04-10 2013-04-11
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome OS before 26.0.1410.57 relies on a Pango pango-utils.c read_config implementation that loads the contents of the .pangorc file in the user's home directory, and the file referenced by the PANGO_RC_FILE environment variable, which allows attackers to bypass intended access restrictions via crafted configuration data.
25 CVE-2013-0921 264 Bypass 2013-03-28 2013-11-02
6.8
None Remote Medium Not required Partial Partial Partial
The Isolated Sites feature in Google Chrome before 26.0.1410.43 does not properly enforce the use of separate processes, which makes it easier for remote attackers to bypass intended access restrictions via a crafted web site.
26 CVE-2013-0910 287 Bypass 2013-03-05 2013-11-02
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 25.0.1364.152 does not properly manage the interaction between the browser process and renderer processes during authorization of the loading of a plug-in, which makes it easier for remote attackers to bypass intended access restrictions via vectors involving a blocked plug-in.
27 CVE-2013-0829 264 Bypass 2013-01-15 2013-11-02
6.4
None Remote Low Not required Partial Partial None
Google Chrome before 24.0.1312.52 does not properly maintain database metadata, which allows remote attackers to bypass intended file-access restrictions via unspecified vectors.
28 CVE-2012-6140 200 Bypass +Info 2013-04-24 2013-05-07
1.9
None Local Medium Not required Partial None None
pam_google_authenticator.c in the PAM module in Google Authenticator before 1.0 requires user-readable permissions for the secret file, which allows local users to bypass intended access restrictions and discover a shared secret via standard filesystem operations, a different vulnerability than CVE-2013-0258.
29 CVE-2012-5851 79 XSS Bypass 2012-11-15 2012-11-19
4.3
None Remote Medium Not required None Partial None
html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka rdar problem 12019108.
30 CVE-2012-5376 264 Bypass 2012-10-11 2013-11-02
10.0
None Remote Low Not required Complete Complete Complete
The Inter-process Communication (IPC) implementation in Google Chrome before 22.0.1229.94 allows remote attackers to bypass intended sandbox restrictions and write to arbitrary files by leveraging access to a renderer process, a different vulnerability than CVE-2012-5112.
31 CVE-2012-5155 264 Bypass 2013-01-15 2013-01-16
5.0
None Remote Low Not required None Partial None
Google Chrome before 24.0.1312.52 on Mac OS X does not use an appropriate sandboxing approach for worker processes, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors.
32 CVE-2012-5146 264 Bypass 2013-01-15 2013-11-02
5.0
None Remote Low Not required None Partial None
Google Chrome before 24.0.1312.52 allows remote attackers to bypass the Same Origin Policy via a malformed URL.
33 CVE-2012-4908 264 Bypass 2012-09-13 2012-09-14
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 18.0.1025308 on Android allows remote attackers to bypass the Same Origin Policy and obtain access to local files via vectors involving a symlink.
34 CVE-2012-3484 264 +Priv Bypass 2012-08-26 2012-08-27
7.2
Admin Local Low Not required Complete Complete Complete
Tunnelblick 3.3beta20 and earlier relies on a test for specific ownership and permissions to determine whether a program can be safely executed, which allows local users to bypass intended access restrictions and gain privileges via a (1) user-mountable image or (2) network share.
35 CVE-2012-2899 79 XSS Bypass 2014-01-05 2014-01-06
4.3
None Remote Medium Not required None Partial None
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors involving the document.write method.
36 CVE-2012-2892 Bypass 2012-09-26 2013-11-02
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to bypass the pop-up blocker via unknown vectors.
37 CVE-2012-2848 264 Bypass 2012-08-06 2012-08-13
4.3
None Remote Medium Not required None Partial None
The drag-and-drop implementation in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows user-assisted remote attackers to bypass intended file access restrictions via a crafted web site.
38 CVE-2012-1846 264 Bypass 2012-03-22 2012-08-13
10.0
None Remote Low Not required Complete Complete Complete
Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the sandbox protection mechanism by leveraging access to a sandboxed process, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated "it really doesn't matter if it's third-party code."
39 CVE-2012-1845 399 Exec Code Bypass 2012-03-22 2013-09-07
10.0
None Remote Low Not required Complete Complete Complete
Use-after-free vulnerability in Google Chrome 17.0.963.66 and earlier allows remote attackers to bypass the DEP and ASLR protection mechanisms, and execute arbitrary code, via unspecified vectors, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012. NOTE: the primary affected product may be clarified later; it was not identified by the researcher, who reportedly stated "it really doesn't matter if it's third-party code."
40 CVE-2011-4213 264 Exec Code Bypass 2011-10-30 2012-04-19
7.2
None Local Low Not required Complete Complete Complete
The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.
41 CVE-2011-4212 264 Exec Code Bypass 2011-10-30 2011-10-31
7.2
None Local Low Not required Complete Complete Complete
The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent os.popen calls, which allows local users to bypass intended access restrictions and execute arbitrary commands via a dev_appserver.RestrictedPathFunction._original_os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.
42 CVE-2011-4211 264 Exec Code Bypass 2011-10-30 2011-10-31
7.2
None Local Low Not required Complete Complete Complete
The FakeFile implementation in the sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly control the opening of files, which allows local users to bypass intended access restrictions and create arbitrary files via ALLOWED_MODES and ALLOWED_DIRS changes within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.
43 CVE-2011-3956 264 Bypass 2012-02-08 2013-11-15
5.0
None Remote Low Not required None Partial None
The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension.
44 CVE-2011-3887 264 Bypass 2011-10-25 2012-11-06
5.0
None Remote Low Not required Partial None None
Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors.
45 CVE-2011-3881 XSS Bypass 2011-10-25 2014-10-04
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and (5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.
46 CVE-2011-3084 264 Bypass 2012-05-15 2012-11-06
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page.
47 CVE-2011-3080 362 Bypass 2012-05-01 2012-08-13
7.5
None Remote Low Not required Partial Partial Partial
Race condition in the Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168 allows attackers to bypass intended sandbox restrictions via unspecified vectors.
48 CVE-2011-3072 264 Bypass 2012-04-05 2013-02-14
5.0
None Remote Low Not required None Partial None
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to pop-up windows.
49 CVE-2011-3067 264 Bypass 2012-04-05 2013-02-14
5.0
None Remote Low Not required None Partial None
Google Chrome before 18.0.1025.151 allows remote attackers to bypass the Same Origin Policy via vectors related to replacement of IFRAME elements.
50 CVE-2011-3056 20 Bypass 2012-03-22 2012-11-06
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 17.0.963.83 allows remote attackers to bypass the Same Origin Policy via vectors involving a "magic iframe."
Total number of vulnerabilities : 95   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.