CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2017-15387 – chromium-browser: content security bypass
https://notcve.org/view.php?id=CVE-2017-15387
Insufficient enforcement of Content Security Policy in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to open javascript: URL windows when they should not be allowed to via a crafted HTML page. La aplicación insuficiente de políticas de seguridad de contenidos en Blink en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante remoto abriese ventanas javascript: URL cuando no deberían ser capaces de hacerlo mediante una página HTML manipulada. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/756040 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-15387 https://bugzilla.redhat.com/show_bug.cgi?id=1503542 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2017-15389 – chromium-browser: url spoofing in omnibox
https://notcve.org/view.php?id=CVE-2017-15389
An insufficient watchdog timer in navigation in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Un temporizador guardián insuficiente en navigation en Blink en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante remoto suplante el contenido del Omnibox (barra de URL) mediante una página HTML manipulada. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/739621 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-15389 https://bugzilla.redhat.com/show_bug.cgi?id=1503544 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 0CVE-2017-5126 – chromium-browser: use after free in pdfium
https://notcve.org/view.php?id=CVE-2017-5126
A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. Un uso de memoria previamente liberada en PDFium en Google Chrome, en versiones anteriores a la 62.0.3202.62, permite que un atacante remoto explote la corrupción de la memoria dinámica (heap) mediante un archivo PDF manipulado. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/760455 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-5126 https://bugzilla.redhat.com/show_bug.cgi?id=1503532 • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 2CVE-2017-5124 – Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting
https://notcve.org/view.php?id=CVE-2017-5124
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page. Una implementación incorrecta del sandbox en Blink en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante remoto inyecte scripts o HTML (UXSS) arbitrarios mediante una página MHTML manipulada. • https://www.exploit-db.com/exploits/45867 https://github.com/Bo0oM/CVE-2017-5124 http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://chromium.googlesource.com/chromium/src/+/4558c2885e618557a674660aff57404d25537070 https://crbug.com/762930 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://www.reddit.com/r/ne • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-5130 – chromium-browser: heap overflow in libxml2
https://notcve.org/view.php?id=CVE-2017-5130
An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. Un desbordamiento de enteros en xmlmemory.c en versiones anteriores a la 2.9.5 de libxml2, tal y como se emplea en Google Chrome, en versiones anteriores a la 62.0.3202.62 y en otros productos, permite que un atacante remoto explote la corrupción de la memoria dinámica (heap) mediante un archivo XML manipulado. A heap overflow flaw was found in the libxml2 library. An application compiled with libxml2 using the vulnerable debug-only function xmlMemoryStrdup could be used by an attacker to crash the application or execute arbitrary code with the permission of the user running the application. • http://bugzilla.gnome.org/show_bug.cgi?id=783026 http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/722079 https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed https://lists.debian.org/debian-lts-announce/2017/11/msg00034.html https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html https://security.gentoo. • CWE-787: Out-of-bounds Write •