CVSS: 6.5EPSS: 1%CPEs: 5EXPL: 0CVE-2018-18352 – chromium-browser: Inappropriate implementation in Media
https://notcve.org/view.php?id=CVE-2018-18352
Service works could inappropriately gain access to cross origin audio in Media in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass same origin policy for audio content via a crafted HTML page. Los trabajos del servicio pueden obtener acceso de forma inapropiada al audio cross-origin en Media en Google Chrome, en versiones anteriores a la 71.0.3578.80, permitía que un atacante remoto omitiese la política del mismo origen para el contenido de audio mediante una página HTML manipulada. • http://www.securityfocus.com/bid/106084 https://access.redhat.com/errata/RHSA-2018:3803 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://crbug.com/849942 https://security.gentoo.org/glsa/201908-18 https://www.debian.org/security/2018/dsa-4352 https://access.redhat.com/security/cve/CVE-2018-18352 https://bugzilla.redhat.com/show_bug.cgi?id=1656566 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 3%CPEs: 5EXPL: 0CVE-2018-18342 – chromium-browser: Out of bounds write in V8
https://notcve.org/view.php?id=CVE-2018-18342
Execution of user supplied Javascript during object deserialization can update object length leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. La ejecución de código JavaScript proporcionado por el usuario durante una deserialización de objectos, provocando una escritura fuera de límites en la versión "V8" de Google Chrome en versiones anteriores a la 71.0.3578.80, permitía a un atacante remoto ejecutar código arbitrario dentro de un sandbox mediante una página HTML manipulada. • http://www.securityfocus.com/bid/106084 https://access.redhat.com/errata/RHSA-2018:3803 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://crbug.com/906313 https://security.gentoo.org/glsa/201908-18 https://www.debian.org/security/2018/dsa-4352 https://access.redhat.com/security/cve/CVE-2018-18342 https://bugzilla.redhat.com/show_bug.cgi?id=1656556 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-18351 – chromium-browser: Insufficient policy enforcement in Navigation
https://notcve.org/view.php?id=CVE-2018-18351
Lack of proper validation of ancestor frames site when sending lax cookies in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass SameSite cookie policy via a crafted HTML page. La falta de validación adecuada de los frames ancestor al enviar cookies lax en Navigation en Google Chrome en versiones anteriores a la 71.0.3578.80 permitía que un atacante remoto omita la política de la cookie SameSite mediante una página HTML manipulada. • http://www.securityfocus.com/bid/106084 https://access.redhat.com/errata/RHSA-2018:3803 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://crbug.com/833847 https://security.gentoo.org/glsa/201908-18 https://www.debian.org/security/2018/dsa-4352 https://access.redhat.com/security/cve/CVE-2018-18351 https://bugzilla.redhat.com/show_bug.cgi?id=1656565 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-18349 – chromium-browser: Insufficient policy enforcement in Blink
https://notcve.org/view.php?id=CVE-2018-18349
Remote frame navigations was incorrectly permitted to local resources in Blink in Google Chrome prior to 71.0.3578.80 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. Se permitía de manera incorrecta la navegación remota de tramas en Blink en Google Chrome en versiones anteriores a 71.0.3578.80, lo que permitía que un atacante convenciera a un usuario para que instalase una extensión maliciosa y así acceder a archivos en el sistema de archivos local mediante una extensión de Chrome manipulada. • http://www.securityfocus.com/bid/106084 https://access.redhat.com/errata/RHSA-2018:3803 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://crbug.com/894399 https://security.gentoo.org/glsa/201908-18 https://www.debian.org/security/2018/dsa-4352 https://access.redhat.com/security/cve/CVE-2018-18349 https://bugzilla.redhat.com/show_bug.cgi?id=1656563 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 0CVE-2018-18344 – chromium-browser: Inappropriate implementation in Extensions
https://notcve.org/view.php?id=CVE-2018-18344
Inappropriate allowance of the setDownloadBehavior devtools protocol feature in Extensions in Google Chrome prior to 71.0.3578.80 allowed a remote attacker with control of an installed extension to access files on the local file system via a crafted Chrome Extension. La asignación incorrecta de la funcionalidad de protocolo "setDownloadBehavior" en Extensions en Google Chrome en versiones anteriores a 71.0.3578.80 permitía a un atacante remoto con el control de una extensión instalada acceder a archivos en el sistema remoto mediante una extensión de Chrome manipulada. • http://www.securityfocus.com/bid/106084 https://access.redhat.com/errata/RHSA-2018:3803 https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html https://crbug.com/866426 https://security.gentoo.org/glsa/201908-18 https://www.debian.org/security/2018/dsa-4352 https://access.redhat.com/security/cve/CVE-2018-18344 https://bugzilla.redhat.com/show_bug.cgi?id=1656558 • CWE-269: Improper Privilege Management •