CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Google » Chrome : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-3803 200 +Info 2014-05-21 2014-08-01
4.3
None Remote Medium Not required Partial None None
The SpeechInput feature in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to enable microphone access and obtain speech-recognition text without indication via an INPUT element with a -x-webkit-speech attribute.
2 CVE-2014-1747 79 XSS 2014-05-21 2014-06-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)."
3 CVE-2014-1726 Bypass 2014-04-09 2014-05-23
4.3
None Remote Medium Not required None Partial None
The drag implementation in Google Chrome before 34.0.1847.116 allows user-assisted remote attackers to bypass the Same Origin Policy and forge local pathnames by leveraging renderer access.
4 CVE-2014-1701 79 XSS 2014-03-16 2014-05-23
4.3
None Remote Medium Not required None Partial None
The GenerateFunction function in bindings/scripts/code_generator_v8.pm in Blink, as used in Google Chrome before 33.0.1750.149, does not implement a certain cross-origin restriction for the EventTarget::dispatchEvent function, which allows remote attackers to conduct Universal XSS (UXSS) attacks via vectors involving events.
5 CVE-2013-6636 20 2013-12-06 2014-03-05
4.3
None Remote Medium Not required None Partial None
The FrameLoader::notifyIfInitialDocumentAccessed function in core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 31.0.1650.63, makes an incorrect check for an empty document during presentation of a modal dialog, which allows remote attackers to spoof the address bar via vectors involving the document.write method.
6 CVE-2013-6628 2013-11-13 2014-04-24
4.3
None Remote Medium Not required None Partial None
net/socket/ssl_client_socket_nss.cc in the TLS implementation in Google Chrome before 31.0.1650.48 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which might allow remote web servers to interfere with trust relationships by renegotiating a session.
7 CVE-2013-6626 2013-11-13 2014-03-05
4.3
None Remote Medium Not required None Partial None
The WebContentsImpl::AttachInterstitialPage function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 31.0.1650.48 does not cancel JavaScript dialogs upon generating an interstitial warning, which allows remote attackers to spoof the address bar via a crafted web site.
8 CVE-2013-6623 119 DoS Overflow 2013-11-13 2014-03-05
4.3
None Remote Medium Not required None None Partial
The SVG implementation in Blink, as used in Google Chrome before 31.0.1650.48, allows remote attackers to cause a denial of service (out-of-bounds read) by leveraging the use of tree order, rather than transitive dependency order, for layout.
9 CVE-2013-2916 2013-10-02 2014-03-05
4.3
None Remote Medium Not required None Partial None
Blink, as used in Google Chrome before 30.0.1599.66, allows remote attackers to spoof the address bar via vectors involving a response with a 204 (aka No Content) status code, in conjunction with a delay in notifying the user of an attempted spoof.
10 CVE-2013-2915 2013-10-02 2014-03-05
4.3
None Remote Medium Not required None Partial None
Google Chrome before 30.0.1599.66 preserves pending NavigationEntry objects in certain invalid circumstances, which allows remote attackers to spoof the address bar via a URL with a malformed scheme, as demonstrated by a nonexistent:12121 URL.
11 CVE-2013-2874 264 Bypass 2013-07-10 2013-11-02
4.3
None Remote Medium Not required Partial None None
Google Chrome before 28.0.1500.71 on Windows, when an Nvidia GPU is used, allows remote attackers to bypass intended restrictions on access to screen data via vectors involving IPC transmission of GL textures.
12 CVE-2013-2869 119 DoS Overflow 2013-07-10 2013-11-02
4.3
None Remote Medium Not required None None Partial
Google Chrome before 28.0.1500.71 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted JPEG2000 image.
13 CVE-2013-2866 264 +Info 2013-06-19 2013-11-02
4.3
None Remote Medium Not required Partial None None
The Flash plug-in in Google Chrome before 27.0.1453.116, as used on Google Chrome OS before 27.0.1453.116 and separately, does not properly determine whether a user wishes to permit camera or microphone access by a Flash application, which allows remote attackers to obtain sensitive information from a machine's physical environment via a clickjacking attack, as demonstrated by an attack using a crafted Cascading Style Sheets (CSS) opacity property.
14 CVE-2013-2849 79 XSS 2013-05-22 2013-11-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome before 27.0.1453.93 allow user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) drag-and-drop or (2) copy-and-paste operation.
15 CVE-2013-0897 189 DoS 2013-02-23 2013-11-02
4.3
None Remote Medium Not required None None Partial
Off-by-one error in the PDF functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service via a crafted document.
16 CVE-2012-5851 79 XSS Bypass 2012-11-15 2012-11-19
4.3
None Remote Medium Not required None Partial None
html/parser/XSSAuditor.cpp in WebCore in WebKit, as used in Google Chrome through 22 and Safari 5.1.7, does not consider all possible output contexts of reflected data, which makes it easier for remote attackers to bypass a cross-site scripting (XSS) protection mechanism via a crafted string, aka rdar problem 12019108.
17 CVE-2012-5157 119 DoS Overflow 2013-01-15 2013-11-02
4.3
None Remote Medium Not required None None Partial
Google Chrome before 24.0.1312.52 does not properly handle image data in PDF documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document.
18 CVE-2012-4909 200 +Info 2012-09-13 2012-09-14
4.3
None Remote Medium Not required Partial None None
Google Chrome before 18.0.1025308 on Android allows remote attackers to obtain cookie information via a crafted application.
19 CVE-2012-4905 79 XSS 2012-09-13 2012-09-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script or HTML via an extra in an Intent object, aka "Universal XSS (UXSS)."
20 CVE-2012-4904 79 XSS 2012-09-13 2012-09-14
4.3
None Remote Medium Not required None Partial None
Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS (UXSS)" attacks against the current tab.
21 CVE-2012-2899 79 XSS Bypass 2014-01-05 2014-01-06
4.3
None Remote Medium Not required None Partial None
Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors involving the document.write method.
22 CVE-2012-2889 79 XSS 2012-09-26 2013-11-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML via vectors involving frames, aka "Universal XSS (UXSS)."
23 CVE-2012-2886 79 XSS 2012-09-26 2013-11-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Google Chrome before 22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Google V8 bindings, aka "Universal XSS (UXSS)."
24 CVE-2012-2879 119 DoS Overflow 2012-09-26 2013-11-02
4.3
None Remote Medium Not required None None Partial
Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial of service (DOM topology corruption) via a crafted document.
25 CVE-2012-2872 79 XSS 2012-08-31 2013-11-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in an SSL interstitial page in Google Chrome before 21.0.1180.89 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
26 CVE-2012-2870 399 DoS 2012-08-31 2014-01-27
4.3
None Remote Medium Not required None None Partial
libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.
27 CVE-2012-2865 119 DoS Overflow 2012-08-31 2013-11-02
4.3
None Remote Medium Not required None None Partial
Google Chrome before 21.0.1180.89 does not properly perform line breaking, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document.
28 CVE-2012-2849 189 DoS 2012-08-06 2012-08-13
4.3
None Remote Medium Not required None None Partial
Off-by-one error in the GIF decoder in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image.
29 CVE-2012-2848 264 Bypass 2012-08-06 2012-08-13
4.3
None Remote Medium Not required None Partial None
The drag-and-drop implementation in Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, allows user-assisted remote attackers to bypass intended file access restrictions via a crafted web site.
30 CVE-2012-2847 399 DoS 2012-08-06 2012-08-13
4.3
None Remote Medium Not required None None Partial
Google Chrome before 21.0.1180.57 on Mac OS X and Linux, and before 21.0.1180.60 on Windows and Chrome Frame, does not request user confirmation before continuing a large series of downloads, which allows user-assisted remote attackers to cause a denial of service (resource consumption) via a crafted web site.
31 CVE-2011-3907 20 2011-12-13 2011-12-14
4.3
None Remote Medium Not required None Partial None
The view-source feature in Google Chrome before 16.0.912.63 allows remote attackers to spoof the URL bar via unspecified vectors.
32 CVE-2011-3877 79 XSS 2011-10-25 2012-11-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
33 CVE-2011-3875 20 2011-10-25 2012-11-06
4.3
None Remote Medium Not required None Partial None
Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.
34 CVE-2011-3389 20 2011-09-06 2014-10-04
4.3
None Remote Medium Not required Partial None None
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
35 CVE-2011-3058 79 XSS 2012-03-30 2013-03-15
4.3
None Remote Medium Not required None Partial None
Google Chrome before 18.0.1025.142 does not properly handle the EUC-JP encoding system, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
36 CVE-2011-3040 399 DoS 2012-03-05 2012-09-21
4.3
None Remote Medium Not required None None Partial
Google Chrome before 17.0.963.65 does not properly handle text, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document.
37 CVE-2011-2849 DoS 2011-09-19 2011-09-22
4.3
None Remote Medium Not required None None Partial
The WebSockets implementation in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.
38 CVE-2011-2800 200 +Info 2011-08-02 2011-10-25
4.3
None Remote Medium Not required Partial None None
Google Chrome before 13.0.782.107 allows remote attackers to obtain potentially sensitive information about client-side redirect targets via a crafted web site.
39 CVE-2011-2786 20 2011-08-02 2011-09-06
4.3
None Remote Medium Not required None Partial None
Google Chrome before 13.0.782.107 does not ensure that the speech-input bubble is shown on the product's screen, which might make it easier for remote attackers to make audio recordings via a crafted web page containing an INPUT element.
40 CVE-2011-2785 20 2011-08-02 2011-09-06
4.3
None Remote Medium Not required None Partial None
The extensions implementation in Google Chrome before 13.0.782.107 does not properly validate the URL for the home page, which allows remote attackers to have an unspecified impact via a crafted extension.
41 CVE-2011-2782 264 Bypass 2011-08-02 2011-09-12
4.3
None Remote Medium Not required None Partial None
The drag-and-drop implementation in Google Chrome before 13.0.782.107 on Linux does not properly enforce permissions for files, which allows user-assisted remote attackers to bypass intended access restrictions via unspecified vectors.
42 CVE-2011-2761 399 DoS 2011-07-18 2011-08-10
4.3
None Remote Medium Not required None None Partial
Google Chrome 14.0.794.0 does not properly handle a reload of a page generated in response to a POST, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted web site, related to GetWidget methods.
43 CVE-2011-2599 200 +Info 2011-06-30 2011-07-12
4.3
None Remote Medium Not required Partial None None
Google Chrome 11 does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader.
44 CVE-2011-2361 287 2011-08-02 2011-09-06
4.3
None Remote Medium Not required Partial None None
The Basic Authentication dialog implementation in Google Chrome before 13.0.782.107 does not properly handle strings, which might make it easier for remote attackers to capture credentials via a crafted web site.
45 CVE-2011-1455 20 DoS 2011-05-03 2012-01-26
4.3
None Remote Medium Not required None None Partial
Google Chrome before 11.0.696.57 does not properly handle PDF documents with multipart encoding, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted document.
46 CVE-2011-1305 362 DoS 2011-05-03 2012-03-19
4.3
None Remote Medium Not required None None Partial
Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS X allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to linked lists and a database.
47 CVE-2011-1107 2011-03-01 2012-01-26
4.3
None Remote Medium Not required None Partial None
Unspecified vulnerability in Google Chrome before 9.0.597.107 allows remote attackers to spoof the URL bar via unknown vectors.
48 CVE-2011-1059 399 DoS 2011-02-22 2012-01-26
4.3
None Remote Medium Not required None None Partial
Use-after-free vulnerability in WebCore in WebKit before r77705, as used in Google Chrome before 11.0.672.2 and other products, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that entice a user to resubmit a form, related to improper handling of provisional items by the HistoryController component, aka rdar problem 8938557.
49 CVE-2011-0783 DoS 2011-02-04 2012-01-26
4.3
None Remote Medium Not required None None Partial
Unspecified vulnerability in Google Chrome before 9.0.597.84 allows user-assisted remote attackers to cause a denial of service (application crash) via vectors involving a "bad volume setting."
50 CVE-2010-5069 200 +Info 2011-12-07 2012-01-26
4.3
None Remote Medium Not required Partial None None
The Cascading Style Sheets (CSS) implementation in Google Chrome 4 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document. NOTE: this may overlap CVE-2010-2264.
Total number of vulnerabilities : 92   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.