CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2015-3335
https://notcve.org/view.php?id=CVE-2015-3335
The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc in Google Chrome before 42.0.2311.90 does not have RLIMIT_AS and RLIMIT_DATA limits for Native Client (aka NaCl) processes, which might make it easier for remote attackers to conduct row-hammer attacks or have unspecified other impact by leveraging the ability to run a crafted program in the NaCl sandbox. La función NaClSandbox::InitializeLayerTwoSandbox en components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc en Google Chrome anterior a 42.0.2311.90 no tiene los límites RLIMIT_AS y RLIMIT_DATA para los procesos Native Client (también conocido como NaCl), lo que podría facilitar a atacantes remotos realizar ataques 'row-hammer' o tener otro impacto no especificado mediante el aprovechamiento de la habilidad de hacer funcionar un programa manipulado en el sandbox NaCl. • http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00040.html http://www.securityfocus.com/bid/72715 https://code.google.com/p/chromium/issues/detail?id=455839 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2015-3336
https://notcve.org/view.php?id=CVE-2015-3336
Google Chrome before 42.0.2311.90 does not always ask the user before proceeding with CONTENT_SETTINGS_TYPE_FULLSCREEN and CONTENT_SETTINGS_TYPE_MOUSELOCK changes, which allows user-assisted remote attackers to cause a denial of service (UI disruption) by constructing a crafted HTML document containing JavaScript code with requestFullScreen and requestPointerLock calls, and arranging for the user to access this document with a file: URL. Google Chrome anterior a 42.0.2311.90 no siempre pregunta al usuario antes de proceder con cambios de CONTENT_SETTINGS_TYPE_FULLSCREEN y CONTENT_SETTINGS_TYPE_MOUSELOCK, lo que permite a atacantes remotos asistidos por usuario causar una denegación de servicio (interrupción de la interfaz del usuario) mediante la construcción de un documento HTML manipulado que contiene código JavaScript con llamadas requestFullScreen y requestPointerLock, y la organización del acceso del usuario a este documento con una URL file:. • http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00040.html http://www.debian.org/security/2015/dsa-3238 http://www.securityfocus.com/bid/74227 https://code.google.com/p/chromium/issues/detail?id=455953 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 1CVE-2015-1241 – chromium-browser: tap-jacking vulnerability
https://notcve.org/view.php?id=CVE-2015-1241
Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack. Google Chrome anterior a 42.0.2311.90 no considera correctamente la interacción de la navegación de páginas con el manejo de los eventos 'táctiles' (touch) y los eventos de 'gestos' (gesture), lo que permite a atacantes remotos provocar acciones no intencionadas de la interfaz del usuario a través de un sitio web manipulado que realiza un ataque de 'tapjacking'. • http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00040.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00024.html http://rhn.redhat.com/errata/RHSA-2015-0816.html http://ubuntu.com/usn/usn-2570-1 http://www.debian.org/security/2015/dsa-3238 http://www.securitytracker.com/id/1032209 https://code.google.com/p/chromium/issues/detail?id=418402 https://codereview.chromium.org/628763003 http • CWE-352: Cross-Site Request Forgery (CSRF) CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 9.3EPSS: 0%CPEs: 11EXPL: 0CVE-2015-0492 – JDK: unspecified vulnerability fixed in 7u79 and 8u45 (JavaFX)
https://notcve.org/view.php?id=CVE-2015-0492
Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and JavaFX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0484. Vulnerabilidad no especificada en Oracle Java SE 7u76 y 8u40, y JavaFX 2.2.76, permite a atacantes remotos afectar la confidencialidad, la integridad y la disponibilidad a través de vectores desconocidos, una vulnerabilidad diferente a CVE-2015-0484. • http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00002.html http://rhn.redhat.com/errata/RHSA-2015-0854.html http://rhn.redhat.com/errata/RHSA-2015-0857.html http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.securityfocus.com/bid/74129 http://www.securitytracker.com/id/1032120 https://securit •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0486 – JDK: unspecified vulnerability fixed in 8u45 (Deployment)
https://notcve.org/view.php?id=CVE-2015-0486
Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. Vulnerabilidad no especificada en Oracle Java SE 8u40 permite a atacantes remotos afectar la confidencialidad a través de vectores desconocidos relacionados con Deployment. • http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00017.html http://rhn.redhat.com/errata/RHSA-2015-0854.html http://www-01.ibm.com/support/docview.wss?uid=swg21883640 http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.securityfocus.com/bid/74145 http://www.securitytracker.com/id/1032120 https://security.gentoo.org/glsa/201603-11 https://access.redhat.com/security/cve/CVE-2015-0486 https://bugzilla.redhat.com/show_bug.cgi?id=1211774 •