SB2023010926 - Multiple vulnerabilities in Dell Hybrid Client
Published: January 9, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2022-4436)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Blink Media component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
2) Use-after-free (CVE-ID: CVE-2022-4437)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Mojo IPC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) Use-after-free (CVE-ID: CVE-2022-4438)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Blink Frames component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
4) Use-after-free (CVE-ID: CVE-2022-4439)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Aura component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
5) Use-after-free (CVE-ID: CVE-2022-4440)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Profiles in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
6) Information disclosure (CVE-ID: CVE-2022-45403)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Service Workers. A remote attacker can obtain information about the presence or length of a media file using timing information for cross-origin media combined with Range requests.
7) Spoofing attack (CVE-ID: CVE-2022-45404)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of a series of popup and window.print() calls. A remote attacker can force the browser to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.
8) Use-after-free (CVE-ID: CVE-2022-45405)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the InputStream implementation. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
9) Use-after-free (CVE-ID: CVE-2022-45406)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling JavaScript realms. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
10) Spoofing attack (CVE-ID: CVE-2022-45408)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of a series of popups that reuse windowName. A remote attacker can force the browser to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.
11) Use-after-free (CVE-ID: CVE-2022-45409)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Garbage Collection. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
12) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.
Remediation
Install update from vendor's website.