CVSS: 6.5EPSS: 1%CPEs: 7EXPL: 0CVE-2018-6097 – chromium-browser: Fullscreen UI spoof
https://notcve.org/view.php?id=CVE-2018-6097
Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to enter full screen without showing a warning via a crafted HTML page. La gestión incorrecta de los métodos asíncronos en Fullscreen en Google Chrome, en versiones anteriores a la 66.0.3359.117 para macOS, permitía que un atacante remoto pudiese entrar en modo de pantalla completa sin mostrar un aviso mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/806162 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6097 https://bugzilla.redhat.com/show_bug.cgi?id=1568775 • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-6096 – chromium-browser: Fullscreen UI spoof
https://notcve.org/view.php?id=CVE-2018-6096
A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page. Una ventana centrada con JavaScript podría superponerse a la notificación de pantalla completa en Fullscreen en Google Chrome, en versiones anteriores a la 66.0.3359.117, lo que permitía que un atacante remoto ocultase la advertencia de pantalla completa mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/776418 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6096 https://bugzilla.redhat.com/show_bug.cgi?id=1568774 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2018-6091 – chromium-browser: Incorrect handling of plug-ins by Service Worker
https://notcve.org/view.php?id=CVE-2018-6091
Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Los trabajadores del servicio (Service Workers) pueden interceptar cualquier petición realizada por las etiquetas o en la API Fetch en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitían que un atacante remoto filtrase datos cross-origin mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/771933 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6091 https://bugzilla.redhat.com/show_bug.cgi?id=1568767 • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-6108 – chromium-browser: URL spoof in Omnibox
https://notcve.org/view.php?id=CVE-2018-6108
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page. Aplicación insuficiente de caracteres confundibles en URL Formatter en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitía que un atacante remoto suplantase dominios mediante homogramas IDN mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/816769 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6108 https://bugzilla.redhat.com/show_bug.cgi?id=1568788 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2018-1106 – PackageKit: authentication bypass allows to install signed packages without administrator privileges
https://notcve.org/view.php?id=CVE-2018-1106
An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system. Se ha encontrado un fallo de omisión de autenticación en PackageKit, en versiones anteriores a la 1.1.10, que permite que usuarios con privilegios de administrador instalen paquetes firmados. Un atacante local puede emplear esta vulnerabilidad para instalar paquetes vulnerables para comprometer aún más un sistema. An authentication bypass flaw has been found in PackageKit that allows users without administrator privileges to install signed packages. • http://www.openwall.com/lists/oss-security/2018/04/23/3 https://access.redhat.com/errata/RHSA-2018:1224 https://bugzilla.redhat.com/show_bug.cgi?id=1565992 https://usn.ubuntu.com/3634-1 https://www.debian.org/security/2018/dsa-4207 https://access.redhat.com/security/cve/CVE-2018-1106 • CWE-287: Improper Authentication •