Multiple vulnerabilities in Techland Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2013-0910 CVE-2013-0911 CVE-2013-0902 CVE-2013-0903 CVE-2013-0904 CVE-2013-0905 CVE-2013-0906 CVE-2013-0907 CVE-2013-0908 CVE-2013-0909 |
| CWE-ID | CWE-287 CWE-22 CWE-416 CWE-119 CWE-362 CWE-20 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU43027
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0910
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 25.0.1364.152 does not properly manage the interaction between the browser process and renderer processes during authorization of the loading of a plug-in, which makes it easier for remote attackers to bypass intended access restrictions via vectors involving a blocked plug-in.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=172573
http://codereview.chromium.org/12086077
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16574
http://src.chromium.org/viewvc/chrome?view=rev&revision=180103
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU43028
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0911
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Google Chrome before 25.0.1364.152. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to have an unspecified impact via vectors related to databases.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=172264
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16377
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU43029
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0902
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing unknown vectors. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=176882
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16439
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU43030
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0903
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to the handling of browser navigation. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=176252
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16661
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU43031
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0904
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The Web Audio implementation in Google Chrome before 25.0.1364.152 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=172331
http://code.google.com/p/chromium/issues/detail?id=172926
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16042
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU43032
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0905
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving an SVG animation. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=168982
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16495
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU43033
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0906
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The IndexedDB implementation in Google Chrome before 25.0.1364.152 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=174895
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16653
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Race condition
EUVDB-ID: #VU43034
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0907
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Race condition in Google Chrome before 25.0.1364.152 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of media threads.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=174150
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16633
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU43035
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0908
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Google Chrome before 25.0.1364.152 does not properly manage bindings of extension processes, which has unspecified impact and attack vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=174059
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16369
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU43036
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0909
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 25.0.1364.0 - 25.0.1364.125
CPE2.3- cpe:2.3:a:google:google_chrome:25.0.1364.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:25.0.1364.2:*:*:*:*:*:*:*
http://googlechromereleases.blogspot.com/2013/03/stable-channel-update_4.html
http://code.google.com/p/chromium/issues/detail?id=173906
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16132
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
