Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17473 CVE-2018-17475 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17474 CVE-2018-17471 CVE-2018-17472 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 |
| CWE-ID | CWE-265 CWE-843 CWE-122 CWE-20 CWE-416 CWE-119 CWE-200 CWE-451 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
Updated: 10.03.2020
Updated description and references sections for vulnerability #2.
1) Sandbox escape
EUVDB-ID: #VU15468
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-17462
CWE-ID:
CWE-265 - Privilege / Sandbox Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to sandbox escape in AppCache. A remote attacker can trick the victim into visiting a specially crafted website, escape sandbox in AppCache and gain unauthorized access to the system to execute arbitrary code with elevated privileges.
Successful exploitation on the vulnerability may result in system compromise.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Type Confusion
EUVDB-ID: #VU15469
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2018-17463
CWE-ID:
CWE-843 - Type confusion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing HTML content in Google Chromes JIT compiler. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_object_create.rb
https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
3) Heap-based buffer overflow
EUVDB-ID: #VU15470
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: N/A
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in Little CMS in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation on the vulnerability may result in system compromise.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 69.0.3497.81
CPE2.3 External linkshttps://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) URL spoofing
EUVDB-ID: #VU15471
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17464
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to spoof URLs.
The vulnerability exists due to an error in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and spoof URLs. Mitigation
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free error
EUVDB-ID: #VU15472
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-17465
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in V8. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation on the vulnerability may result in system compromise.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory corruption
EUVDB-ID: #VU15473
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-17466
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in Angle. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation on the vulnerability may result in system compromise.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) URL spoofing
EUVDB-ID: #VU15474
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17467
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to spoof URLs.
The vulnerability exists due to an error in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and spoof URLs. Mitigation
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) URL spoofing
EUVDB-ID: #VU15475
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17473
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to spoof URLs.
The vulnerability exists due to an error in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and spoof URLs. Mitigation
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) URL spoofing
EUVDB-ID: #VU15476
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17475
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to spoof URLs.
The vulnerability exists due to an error in Omnibox. A remote attacker can trick the victim into visiting a specially crafted website and spoof URLs. Mitigation
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU15477
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17468
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to cross-origin URL disclosure in Blink. A remote attacker can trick the victim into visiting a specially crafted website and disclose cross-origin URL.
Mitigation
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Heap-based buffer overflow
EUVDB-ID: #VU15478
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17469
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory corruption
EUVDB-ID: #VU15479
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17470
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to boundary error in GPU Internals. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free error
EUVDB-ID: #VU15480
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17474
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to use-after-free error in Blink. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and cause the service to crash.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Security restrictions bypass
EUVDB-ID: #VU15481
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17471
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to security UI occlusion in full screen mode. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Security restrictions bypass
EUVDB-ID: #VU15482
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17472
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to iframe sandbox escape on iOS. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Security restrictions bypass
EUVDB-ID: #VU15483
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17476
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to security UI occlusion in full screen mode. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Security restrictions bypass
EUVDB-ID: #VU15484
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-5179
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to lack of limits on update() in ServiceWorker. A remote attacker can trick the victim into visiting a specially crafted website and bypass security restrictions to conduct further attacks.
Update to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Spoofing attack
EUVDB-ID: #VU15485
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-17477
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in Blink. A remote attacker can trick the victim into visiting a specially crafted website and conduct UI spoofing attack.
MitigationUpdate to version 70.0.3538.67.
Vulnerable software versionsGoogle Chrome: 67.0.3396.62 - 69.0.3497.100
CPE2.3- cpe:2.3:a:google:google_chrome:67.0.3396.62:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.79:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:67.0.3396.87:*:*:*:*:*:*:*
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
