SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.
Max CVSS
5.9
EPSS Score
0.31%
Published
2016-10-14
Updated
2020-12-09
Google Chrome before 4.0.211.0 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.
Max CVSS
5.8
EPSS Score
0.21%
Published
2011-08-09
Updated
2012-08-02
src/net/http/http_transaction_winhttp.cc in Google Chrome before 1.0.154.53 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.
Max CVSS
5.8
EPSS Score
0.24%
Published
2009-06-15
Updated
2017-08-17
Google Chrome before 11.0.696.57 allows remote attackers to spoof the URL bar via vectors involving (1) a navigation error or (2) an interrupted load.
Max CVSS
5.8
EPSS Score
1.30%
Published
2011-05-03
Updated
2020-05-22
Google Chrome before 11.0.696.57 allows user-assisted remote attackers to spoof the URL bar via vectors involving a redirect and a manual reload.
Max CVSS
5.8
EPSS Score
0.25%
Published
2011-05-03
Updated
2020-05-22
Google Chrome before 12.0.742.91 attempts to read data from an uninitialized pointer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Max CVSS
5.8
EPSS Score
1.75%
Published
2011-06-09
Updated
2020-05-22
Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate.
Max CVSS
5.8
EPSS Score
0.28%
Published
2012-03-30
Updated
2020-04-14
Google Chrome before 17.0.963.46 does not properly implement the drag-and-drop feature, which makes it easier for remote attackers to spoof the URL bar via unspecified vectors.
Max CVSS
5.8
EPSS Score
0.21%
Published
2012-02-09
Updated
2020-04-17
Google Chrome before 28.0.1500.71 does not properly determine the circumstances in which a renderer process can be considered a trusted process for sign-in and subsequent sync operations, which makes it easier for remote attackers to conduct phishing attacks via a crafted web site.
Max CVSS
5.8
EPSS Score
0.67%
Published
2013-07-10
Updated
2017-09-19
Google Chrome before 28.0.1500.95 does not properly handle frames, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Max CVSS
5.8
EPSS Score
0.39%
Published
2013-07-31
Updated
2017-09-19
The PepperFlashRendererHost::OnNavigate function in renderer/pepper/pepper_flash_renderer_host.cc in Google Chrome before 33.0.1750.146 does not verify that all headers are Cross-Origin Resource Sharing (CORS) simple headers before proceeding with a PPB_Flash.Navigate operation, which might allow remote attackers to bypass intended CORS restrictions via an inappropriate header.
Max CVSS
5.8
EPSS Score
0.36%
Published
2014-03-05
Updated
2017-01-07
Google Chrome before 31.0.1650.57 allows remote attackers to bypass intended sandbox restrictions by leveraging access to a renderer process, as demonstrated during a Mobile Pwn2Own competition at PacSec 2013, a different vulnerability than CVE-2013-6632.
Max CVSS
5.8
EPSS Score
0.46%
Published
2013-11-18
Updated
2018-12-13
Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page.
Max CVSS
5.8
EPSS Score
0.78%
Published
2019-01-09
Updated
2019-01-30
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
Max CVSS
5.8
EPSS Score
0.12%
Published
2018-05-04
Updated
2019-10-03
Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
Max CVSS
5.8
EPSS Score
0.07%
Published
2019-06-27
Updated
2019-07-01
Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Max CVSS
5.8
EPSS Score
0.62%
Published
2019-06-27
Updated
2022-07-29
Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Max CVSS
5.8
EPSS Score
0.45%
Published
2020-02-11
Updated
2022-04-06
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
Max CVSS
5.8
EPSS Score
0.37%
Published
2020-02-11
Updated
2020-02-12
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
Max CVSS
5.8
EPSS Score
0.37%
Published
2020-02-11
Updated
2020-02-17
Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.
Max CVSS
5.8
EPSS Score
0.46%
Published
2020-03-23
Updated
2022-10-07
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Max CVSS
5.8
EPSS Score
0.20%
Published
2021-06-07
Updated
2021-12-01
Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
Max CVSS
5.8
EPSS Score
0.49%
Published
2021-10-08
Updated
2022-02-18
Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.
Max CVSS
5.7
EPSS Score
0.06%
Published
2017-04-24
Updated
2022-04-22
Use after free in Bluetooth in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension.
Max CVSS
5.7
EPSS Score
0.05%
Published
2019-06-27
Updated
2019-07-01
Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file.
Max CVSS
5.7
EPSS Score
0.21%
Published
2018-12-11
Updated
2019-08-17
254 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!