Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 27 |
| CVE-ID | CVE-2018-6064 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6065 CVE-2018-6066 CVE-2018-6057 CVE-2018-6063 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 CVE-2018-6072 CVE-2018-6073 CVE-2018-6074 CVE-2018-6075 CVE-2018-6076 CVE-2018-6077 CVE-2018-6078 CVE-2018-6079 CVE-2018-6080 CVE-2018-6081 CVE-2018-6082 CVE-2018-6083 CVE-2017-11215 CVE-2017-11225 |
| CWE-ID | CWE-843 CWE-416 CWE-362 CWE-122 CWE-190 CWE-20 CWE-119 CWE-120 CWE-404 CWE-121 CWE-284 CWE-264 CWE-19 CWE-385 CWE-451 CWE-200 CWE-79 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #5 is being exploited in the wild. |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 27 vulnerabilities.
1) Type confusion
EUVDB-ID: #VU11543
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6064
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU11558
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6060
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Race condition
EUVDB-ID: #VU11560
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6061
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to race condition in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU11561
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6062
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU11562
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2018-6065
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
6) Security restrictions bypass
EUVDB-ID: #VU11563
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6066
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to same origin bypass via canvas. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory corruption
EUVDB-ID: #VU11564
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6057
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory corruption
EUVDB-ID: #VU11565
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6063
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to incorrect permissions on shared memory. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU11566
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6067
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper resource shutdown
EUVDB-ID: #VU11567
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6068
CWE-ID:
CWE-404 - Improper Resource Shutdown or Release
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to object lifetime issues. A remote attacker can cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Stack-based buffer overflow
EUVDB-ID: #VU11568
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6069
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to stack-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper access control
EUVDB-ID: #VU11569
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6070
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to CSP bypass through extensions. A remote attacker can bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Heap-based buffer overflow
EUVDB-ID: #VU11570
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6071
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Skia due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Integer overflow
EUVDB-ID: #VU11571
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6072
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in PDFium due to integer overflow. A remote attacker can trigger buffer overflow and cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Heap-based buffer overflow
EUVDB-ID: #VU11573
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6073
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in WebGL due to heap-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Improper access control
EUVDB-ID: #VU11574
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6074
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to Mark-of-the-Web bypass. A remote attacker can bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Security restrictions bypass
EUVDB-ID: #VU11576
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6075
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to overly permissive cross origin downloads. A remote attacker can bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Data handling
EUVDB-ID: #VU11578
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-6076
CWE-ID:
CWE-19 - Data Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Blink due to incorrect handling of URL fragment identifiers. A remote attacker can cause the service to crash.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Timing attack
EUVDB-ID: #VU11581
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6077
CWE-ID:
CWE-385 - Covert Timing Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in SVG filters due to covert timing channel. A remote attacker can gain access to potentially sensitive information.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Spoofing attack
EUVDB-ID: #VU11582
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6078
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct spoofing attack on the target system.
The weakness exists in OmniBox due to URL spoof. A remote attacker can perform spoofing attack and obtain arbitrary data.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Information disclosure
EUVDB-ID: #VU11583
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6079
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in WebGL due to improper information control via texture data. A remote attacker can gain access to potentially sensitive information.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Information disclosure
EUVDB-ID: #VU11584
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6080
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in IPC call due to improper information control. A remote attacker can gain access to potentially sensitive information.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Cross-site scripting
EUVDB-ID: #VU11585
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6081
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The weakness exists in interstitials due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Security restrictions bypass
EUVDB-ID: #VU11586
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6082
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to circumvention of port blocking. A remote attacker can bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Improper access control
EUVDB-ID: #VU11587
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6083
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to incorrect processing of AppManifests. A remote attacker can bypass security restrictions.
Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: 62.0.3202.89 - 64.0.3282.186
CPE2.3- cpe:2.3:a:google:google_chrome:62.0.3202.89:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:62.0.3202.94:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:63.0.3239.84:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Use-after-free error
EUVDB-ID: #VU9197
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-11215
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a use-after-free error. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
MitigationUpdate to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: before 65.0.3325.146
CPE2.3 External linkshttps://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Use-after-free error
EUVDB-ID: #VU9198
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-11225
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a use-after-free error. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
MitigationUpdate to version Update to version 65.0.3325.146.
Vulnerable software versionsGoogle Chrome: before 65.0.3325.146
CPE2.3 External linkshttps://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
