| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-2849 |
79 |
|
XSS |
2013-05-22 |
2013-06-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome before 27.0.1453.93 allow user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) drag-and-drop or (2) copy-and-paste operation. |
|
2 |
CVE-2013-0897 |
189 |
|
DoS |
2013-02-23 |
2013-04-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Off-by-one error in the PDF functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service via a crafted document. |
|
3 |
CVE-2012-5851 |
79 |
|
XSS Bypass |
2012-11-15 |
2012-11-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka rdar problem 12019108. |
|
4 |
CVE-2012-5157 |
119 |
|
DoS Overflow |
2013-01-15 |
2013-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 24.0.1312.52 does not properly handle image data in PDF documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. |
|
5 |
CVE-2012-4909 |
200 |
|
+Info |
2012-09-13 |
2012-09-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Google Chrome before 18.0.1025308 on Android allows remote attackers to obtain cookie information via a crafted application. |
|
6 |
CVE-2012-4905 |
79 |
|
XSS |
2012-09-13 |
2012-09-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script or HTML via an extra in an Intent object, aka "Universal XSS (UXSS)." |
|
7 |
CVE-2012-4904 |
79 |
|
XSS |
2012-09-13 |
2012-09-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS (UXSS)" attacks against the current tab. |
|
8 |
CVE-2012-2889 |
79 |
|
XSS |
2012-09-26 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML via vectors involving frames, aka "Universal XSS (UXSS)." |
|
9 |
CVE-2012-2886 |
79 |
|
XSS |
2012-09-26 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Google V8 bindings, aka "Universal XSS (UXSS)." |
|
10 |
CVE-2012-2879 |
119 |
|
DoS Overflow |
2012-09-26 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service (DOM topology corruption) via a crafted document. |
|
11 |
CVE-2012-2872 |
79 |
|
XSS |
2012-08-31 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in an SSL interstitial page in Google Chrome before 21.0.1180.89 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
12 |
CVE-2012-2870 |
399 |
|
DoS |
2012-08-31 |
2013-04-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c. |
|
13 |
CVE-2012-2865 |
119 |
|
DoS Overflow |
2012-08-31 |
2013-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 21.0.1180.89 does not properly perform line breaking, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. |
|
14 |
CVE-2012-2849 |
189 |
|
DoS |
2012-08-06 |
2012-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Off-by-one error in the GIF decoder in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image. |
|
15 |
CVE-2012-2848 |
264 |
|
Bypass |
2012-08-06 |
2012-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The drag-and-drop implementation in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows user-assisted remote attackers to bypass intended file access restrictions via a crafted web site. |
|
16 |
CVE-2012-2847 |
399 |
|
DoS |
2012-08-06 |
2012-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, does not request user confirmation before continuing a large series of downloads, which allows user-assisted remote attackers to cause a denial of service (resource consumption) via a crafted web site. |
|
17 |
CVE-2011-3907 |
20 |
|
|
2011-12-13 |
2011-12-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The view-source feature in Google Chrome before 16.0.912.63 allows remote attackers to spoof the URL bar via unspecified vectors. |
|
18 |
CVE-2011-3877 |
79 |
|
XSS |
2011-10-25 |
2012-11-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
19 |
CVE-2011-3875 |
20 |
|
|
2011-10-25 |
2012-11-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors. |
|
20 |
CVE-2011-3389 |
20 |
|
|
2011-09-06 |
2013-03-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. |
|
21 |
CVE-2011-3058 |
79 |
|
XSS |
2012-03-30 |
2013-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Google Chrome before 18.0.1025.142 does not properly handle the EUC-JP encoding system, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. |
|
22 |
CVE-2011-3040 |
399 |
|
DoS |
2012-03-05 |
2012-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 17.0.963.65 does not properly handle text, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. |
|
23 |
CVE-2011-2849 |
|
|
DoS |
2011-09-19 |
2011-09-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WebSockets implementation in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. |
|
24 |
CVE-2011-2800 |
200 |
|
+Info |
2011-08-02 |
2011-10-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Google Chrome before 13.0.782.107 allows remote attackers to obtain potentially sensitive information about client-side redirect targets via a crafted web site. |
|
25 |
CVE-2011-2786 |
20 |
|
|
2011-08-02 |
2011-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Google Chrome before 13.0.782.107 does not ensure that the speech-input bubble is shown on the product's screen, which might make it easier for remote attackers to make audio recordings via a crafted web page containing an INPUT element. |
|
26 |
CVE-2011-2785 |
20 |
|
|
2011-08-02 |
2011-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The extensions implementation in Google Chrome before 13.0.782.107 does not properly validate the URL for the home page, which allows remote attackers to have an unspecified impact via a crafted extension. |
|
27 |
CVE-2011-2782 |
264 |
|
Bypass |
2011-08-02 |
2011-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors. |
|
28 |
CVE-2011-2761 |
399 |
|
DoS |
2011-07-18 |
2011-08-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome 14.0.794.0 does not properly handle a reload of a page generated in response to a POST, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted web site, related to GetWidget methods. |
|
29 |
CVE-2011-2599 |
200 |
|
+Info |
2011-06-30 |
2011-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Google Chrome 11 does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader. |
|
30 |
CVE-2011-2361 |
287 |
|
|
2011-08-02 |
2011-09-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Basic Authentication dialog implementation in Google Chrome before 13.0.782.107 does not properly handle strings, which might make it easier for remote attackers to capture credentials via a crafted web site. |
|
31 |
CVE-2011-1455 |
20 |
|
DoS |
2011-05-03 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 11.0.696.57 does not properly handle PDF documents with multipart encoding, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document. |
|
32 |
CVE-2011-1305 |
362 |
|
DoS |
2011-05-03 |
2012-03-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS X allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to linked lists and a database. |
|
33 |
CVE-2011-1107 |
|
|
|
2011-03-01 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in Google Chrome before 9.0.597.107 allows remote attackers to spoof the URL bar via unknown vectors. |
|
34 |
CVE-2011-1059 |
399 |
|
DoS |
2011-02-22 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in WebCore in WebKit before r77705, as used in Google Chrome before 11.0.672.2 and other products, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that entice a user to resubmit a form, related to improper handling of provisional items by the HistoryController component, aka rdar problem 8938557. |
|
35 |
CVE-2011-0783 |
|
|
DoS |
2011-02-04 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Google Chrome before 9.0.597.84 allows user-assisted remote attackers to cause a denial of service (application crash) via vectors involving a "bad volume setting." |
|
36 |
CVE-2010-5069 |
200 |
|
+Info |
2011-12-07 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Cascading Style Sheets (CSS) implementation in Google Chrome 4 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document. NOTE: this may overlap CVE-2010-2264. |
|
37 |
CVE-2010-4575 |
|
|
DoS |
2010-12-21 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The ThemeInstalledInfoBarDelegate::Observe function in browser/extensions/theme_installed_infobar_delegate.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 does not properly handle incorrect tab interaction by an extension, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted extension. |
|
38 |
CVE-2010-4493 |
399 |
|
DoS |
2010-12-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in Google Chrome before 8.0.552.215 allows remote attackers to cause a denial of service via vectors related to the handling of mouse dragging events. |
|
39 |
CVE-2010-4491 |
264 |
|
DoS Mem. Corr. |
2010-12-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 8.0.552.215 does not properly restrict privileged extensions, which allows remote attackers to cause a denial of service (memory corruption) via a crafted extension. |
|
40 |
CVE-2010-4489 |
|
|
DoS |
2010-12-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libvpx, as used in Google Chrome before 8.0.552.215 and possibly other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebM video. NOTE: this vulnerability exists because of a regression. |
|
41 |
CVE-2010-4485 |
264 |
|
DoS |
2010-12-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google Chrome before 8.0.552.215 does not properly restrict the generation of file dialogs, which allows remote attackers to cause a denial of service (reduced usability and possible application crash) via a crafted web site. |
|
42 |
CVE-2010-4483 |
264 |
|
Bypass |
2010-12-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Google Chrome before 8.0.552.215 does not properly restrict read access to videos derived from CANVAS elements, which allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via a crafted web site. |
|
43 |
CVE-2010-4038 |
20 |
|
DoS |
2010-10-21 |
2012-01-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Web Sockets implementation in Google Chrome before 7.0.517.41 does not properly handle a shutdown action, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. |
|
44 |
CVE-2010-4037 |
|
|
Bypass |
2010-10-21 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Unspecified vulnerability in Google Chrome before 7.0.517.41 allows remote attackers to bypass the pop-up blocker via unknown vectors. |
|
45 |
CVE-2010-4008 |
119 |
|
DoS Overflow |
2010-11-16 |
2013-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document. |
|
46 |
CVE-2010-3259 |
264 |
|
Bypass |
2010-09-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3, Google Chrome before 6.0.472.53, and webkitgtk before 1.2.6, does not properly restrict read access to images derived from CANVAS elements, which allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive image data via a crafted web site. |
|
47 |
CVE-2010-3251 |
399 |
|
DoS |
2010-09-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. |
|
48 |
CVE-2010-3247 |
20 |
|
|
2010-09-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Google Chrome before 6.0.472.53 does not properly restrict the characters in URLs, which allows remote attackers to spoof the appearance of the URL bar via homographic sequences. |
|
49 |
CVE-2010-3246 |
20 |
|
Bypass |
2010-09-07 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Google Chrome before 6.0.472.53 does not properly handle the _blank value for the target attribute of unspecified elements, which allows remote attackers to bypass the pop-up blocker via unknown vectors. |
|
50 |
CVE-2010-2649 |
|
|
DoS |
2010-07-06 |
2011-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Unspecified vulnerability in Google Chrome before 5.0.375.99 allows remote attackers to cause a denial of service (application crash) via an invalid image. |
