CVE-2017-5132 – chromium-browser: incorrect stack manipulation in webassembly
https://notcve.org/view.php?id=CVE-2017-5132
Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka incorrect WebAssembly stack manipulation. La implementación indebida en V8 en Google Chrome, en versiones anteriores a la 62.0.3202.62, permite que un atacante remoto explote la corrupción de la memoria dinámica (heap) mediante una página HTML manipulada. Esto también se conoce como manipulación de pila WebAssembly. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/718858 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-5132 https://bugzilla.redhat.com/show_bug.cgi?id=1503536 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-15386 – chromium-browser: ui spoofing in blink
https://notcve.org/view.php?id=CVE-2017-15386
Incorrect implementation in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Una implementación incorrecta en Blink en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante remoto suplante el contenido del Omnibox (barra de URL) mediante una página HTML manipulada. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/752003 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-15386 https://bugzilla.redhat.com/show_bug.cgi?id=1503540 • CWE-20: Improper Input Validation •
CVE-2017-5127 – chromium-browser: use after free in pdfium
https://notcve.org/view.php?id=CVE-2017-5127
Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. Un uso de memoria previamente liberada en PDFium en Google Chrome, en versiones anteriores a la 62.0.3202.62, permite que un atacante remoto explote la corrupción de la memoria dinámica (heap) mediante un archivo PDF manipulado. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/765384 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-5127 https://bugzilla.redhat.com/show_bug.cgi?id=1503533 • CWE-416: Use After Free •
CVE-2017-5124 – Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting
https://notcve.org/view.php?id=CVE-2017-5124
Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page. Una implementación incorrecta del sandbox en Blink en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante remoto inyecte scripts o HTML (UXSS) arbitrarios mediante una página MHTML manipulada. • https://www.exploit-db.com/exploits/45867 https://github.com/Bo0oM/CVE-2017-5124 http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://chromium.googlesource.com/chromium/src/+/4558c2885e618557a674660aff57404d25537070 https://crbug.com/762930 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://www.reddit.com/r/ne • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-15392 – chromium-browser: incorrect registry key handling in platformintegration
https://notcve.org/view.php?id=CVE-2017-15392
Insufficient data validation in V8 in Google Chrome prior to 62.0.3202.62 allowed an attacker who can write to the Windows Registry to potentially exploit heap corruption via a crafted Windows Registry entry, related to PlatformIntegration. La validación de datos insuficiente en V8 en Google Chrome, en versiones anteriores a la 62.0.3202.62, permitía que un atacante que pueda escribir en Windows Registry pudiese explotar la corrupción de la memoria dinámica (heap) mediante una entrada manipulada al Windows Registry, relacionado con PlatformIntegration. • http://www.securityfocus.com/bid/101482 https://access.redhat.com/errata/RHSA-2017:2997 https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html https://crbug.com/714401 https://security.gentoo.org/glsa/201710-24 https://www.debian.org/security/2017/dsa-4020 https://access.redhat.com/security/cve/CVE-2017-15392 https://bugzilla.redhat.com/show_bug.cgi?id=1503547 • CWE-20: Improper Input Validation •