| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-6119 |
20 |
|
|
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
2 |
CVE-2018-6053 |
200 |
|
+Info |
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Inappropriate implementation in New Tab Page in Google Chrome prior to 64.0.3282.119 allowed a local attacker to view website thumbnail images after clearing browser data via a crafted HTML page. |
|
3 |
CVE-2018-6052 |
200 |
|
+Info |
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Lack of support for a non standard no-referrer policy value in Blink in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to obtain referrer details from a web page that had thought it had opted out of sending referrer data. |
|
4 |
CVE-2018-6051 |
79 |
|
XSS |
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
XSS Auditor in Google Chrome prior to 64.0.3282.119, did not ensure the reporting URL was in the same origin as the page it was on, which allowed a remote attacker to obtain referrer details via a crafted HTML page. |
|
5 |
CVE-2018-6050 |
20 |
|
|
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
6 |
CVE-2018-6049 |
254 |
|
|
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect security UI in permissions prompt in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to spoof the origin to which permission is granted via a crafted HTML page. |
|
7 |
CVE-2018-6048 |
20 |
|
+Info |
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in Blink in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak referrer information via a crafted HTML page. |
|
8 |
CVE-2018-6047 |
20 |
|
|
2018-09-25 |
2018-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in WebGL in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user redirect URL via a crafted HTML page. |
|
9 |
CVE-2018-6046 |
20 |
|
|
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient data validation in DevTools in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user cross-origin data via a crafted Chrome Extension. |
|
10 |
CVE-2018-6045 |
200 |
|
+Info |
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in DevTools in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user local file data via a crafted Chrome Extension. |
|
11 |
CVE-2018-6042 |
20 |
|
|
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect security UI in Omnibox in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
12 |
CVE-2018-6041 |
20 |
|
|
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect security UI in navigation in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
13 |
CVE-2018-6040 |
254 |
|
Bypass |
2018-09-25 |
2018-11-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient policy enforcement in Blink in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially bypass content security policy via a crafted HTML page. |
|
14 |
CVE-2018-6039 |
20 |
|
|
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient data validation in DevTools in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user cross-origin data via a crafted Chrome Extension. |
|
15 |
CVE-2018-6038 |
125 |
|
Overflow |
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap buffer overflow in WebGL in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. |
|
16 |
CVE-2018-6037 |
200 |
|
+Info |
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Inappropriate implementation in autofill in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to obtain autofill data with insufficient user gestures via a crafted HTML page. |
|
17 |
CVE-2018-6036 |
20 |
|
|
2018-09-25 |
2018-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient data validation in V8 in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user data via a crafted HTML page. |
|
18 |
CVE-2018-6032 |
20 |
|
|
2018-09-25 |
2018-11-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in Blink in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially leak user cross-origin data via a crafted HTML page. |
|
19 |
CVE-2017-1000460 |
476 |
|
|
2018-01-03 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized get_bits context, which causes a NULL deref exception. |
|
20 |
CVE-2017-15430 |
264 |
|
Bypass |
2018-08-28 |
2018-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Unsafe navigation in Chromecast in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. |
|
21 |
CVE-2017-15429 |
79 |
|
XSS |
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. |
|
22 |
CVE-2017-15427 |
79 |
|
XSS |
2018-08-28 |
2018-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar. |
|
23 |
CVE-2017-15426 |
20 |
|
|
2018-08-28 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
24 |
CVE-2017-15425 |
20 |
|
|
2018-08-28 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
25 |
CVE-2017-15424 |
20 |
|
|
2018-08-28 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
26 |
CVE-2017-15422 |
190 |
|
Overflow |
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. |
|
27 |
CVE-2017-15420 |
20 |
|
|
2018-08-28 |
2018-11-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate implementation in browser navigation in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
28 |
CVE-2017-15419 |
601 |
|
|
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. |
|
29 |
CVE-2017-15418 |
119 |
|
Overflow +Info |
2018-08-28 |
2018-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Use of uninitialized memory in Skia in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
|
30 |
CVE-2017-15416 |
119 |
|
Overflow |
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka a Blink out-of-bounds read. |
|
31 |
CVE-2017-15415 |
20 |
|
|
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Incorrect serialization in IPC in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the value of a pointer via a crafted HTML page. |
|
32 |
CVE-2017-15396 |
119 |
|
Overflow |
2018-08-28 |
2018-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
|
33 |
CVE-2017-15395 |
416 |
|
|
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A use after free in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an ImageCapture NULL pointer dereference. |
|
34 |
CVE-2017-15394 |
20 |
|
|
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension. |
|
35 |
CVE-2017-15392 |
20 |
|
|
2018-02-07 |
2018-02-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Insufficient data validation in V8 in Google Chrome prior to 62.0.3202.62 allowed an attacker who can write to the Windows Registry to potentially exploit heap corruption via a crafted Windows Registry entry, related to PlatformIntegration. |
|
36 |
CVE-2017-15391 |
284 |
|
|
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to access Extension pages without authorisation via a crafted HTML page. |
|
37 |
CVE-2017-15390 |
20 |
|
|
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
38 |
CVE-2017-15389 |
20 |
|
|
2018-02-07 |
2018-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An insufficient watchdog timer in navigation in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
39 |
CVE-2017-15386 |
20 |
|
|
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect implementation in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
|
40 |
CVE-2017-5124 |
79 |
|
XSS |
2018-02-07 |
2018-02-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page. |
|
41 |
CVE-2017-5120 |
254 |
|
|
2017-10-27 |
2017-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate use of www mismatch redirects in browser navigation in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially downgrade HTTPS requests to HTTP via a crafted HTML page. In other words, Chrome could transmit cleartext even though the user had entered an https URL, because of a misdesigned workaround for cases where the domain name in a URL almost matches the domain name in an X.509 server certificate (but differs in the initial "www." substring). |
|
42 |
CVE-2017-5119 |
119 |
|
Overflow +Info |
2017-10-27 |
2017-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
|
43 |
CVE-2017-5118 |
254 |
|
Bypass |
2017-10-27 |
2017-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page. |
|
44 |
CVE-2017-5117 |
200 |
|
+Info |
2017-10-27 |
2017-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3163.79 for Linux and Windows allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
|
45 |
CVE-2017-5110 |
20 |
|
|
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page. |
|
46 |
CVE-2017-5109 |
20 |
|
|
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate implementation of unload handler handling in permission prompts in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to display UI on a non attacker controlled tab via a crafted HTML page. |
|
47 |
CVE-2017-5106 |
20 |
|
|
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
48 |
CVE-2017-5105 |
20 |
|
|
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name. |
|
49 |
CVE-2017-5104 |
20 |
|
|
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Inappropriate implementation in interstitials in Google Chrome prior to 60.0.3112.78 for Mac allowed a remote attacker to spoof the contents of the omnibox via a crafted HTML page. |
|
50 |
CVE-2017-5103 |
200 |
|
+Info |
2017-10-27 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
