CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-6096 – chromium-browser: Fullscreen UI spoof
https://notcve.org/view.php?id=CVE-2018-6096
A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page. Una ventana centrada con JavaScript podría superponerse a la notificación de pantalla completa en Fullscreen en Google Chrome, en versiones anteriores a la 66.0.3359.117, lo que permitía que un atacante remoto ocultase la advertencia de pantalla completa mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/776418 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6096 https://bugzilla.redhat.com/show_bug.cgi?id=1568774 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 6EXPL: 0CVE-2018-6112 – chromium-browser: Incorrect URL handling in DevTools
https://notcve.org/view.php?id=CVE-2018-6112
Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Hacer que las URL fuesen clicables y permitiendo su formateo en DevTools en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitía que un atacante remoto omitiese las restricciones de navegación mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/798096 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6112 https://bugzilla.redhat.com/show_bug.cgi?id=1568792 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2018-6091 – chromium-browser: Incorrect handling of plug-ins by Service Worker
https://notcve.org/view.php?id=CVE-2018-6091
Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Los trabajadores del servicio (Service Workers) pueden interceptar cualquier petición realizada por las etiquetas o en la API Fetch en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitían que un atacante remoto filtrase datos cross-origin mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/771933 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6091 https://bugzilla.redhat.com/show_bug.cgi?id=1568767 • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-6103 – chromium-browser: UI spoof in Permissions
https://notcve.org/view.php?id=CVE-2018-6103
A stagnant permission prompt in Prompts in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass permission policy via a crafted HTML page. Un mensaje de permisos estancado en Prompts en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitía que un atacante remoto omitiese las políticas de permisos mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/816033 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6103 https://bugzilla.redhat.com/show_bug.cgi?id=1568781 •
CVSS: 8.8EPSS: 1%CPEs: 6EXPL: 0CVE-2018-6089 – chromium-browser: Same origin policy bypass in Service Worker
https://notcve.org/view.php?id=CVE-2018-6089
A lack of CORS checks, after a Service Worker redirected to a cross-origin PDF, in Service Worker in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. La falta de comprobación de CORS tras una redirección de un Service Worker a un PDF cross-origin en Service Worker en Google Chrome, en versiones anteriores a la 66.0.3359.117, permitía que un atacante remoto filtrase datos cross-origin limitados mediante una página HTML manipulada. • http://www.securityfocus.com/bid/103917 https://access.redhat.com/errata/RHSA-2018:1195 https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://crbug.com/808838 https://security.gentoo.org/glsa/201804-22 https://www.debian.org/security/2018/dsa-4182 https://access.redhat.com/security/cve/CVE-2018-6089 https://bugzilla.redhat.com/show_bug.cgi?id=1568765 • CWE-20: Improper Input Validation •