CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
High
EPSS
Percentile
92.3%
Multiple serious vulnerabilities have been found in Google Chrome. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, bypass security restrictions or obtain sensitive information.
Below is a complete list of vulnerabilities
Technical details
(1) caused by hiding location bar for a hosted app’s window after navigation away from installation site.
Decompose function in Blink does not verify success of matrix inversion operation. Unitialized memory access and application crash can be caused by using (2)
(3) related to OpenJPEG before r3002.
(5) caused by lack of restrictions in availability of IFRAME Resource Timing API. Can be exploited via a specially designed JavaScript code that cause history.back call.
Vulnerability (6) can be exploited via shared-timer erroneous firing.
When extension uninstalled Chrome does not ensure that preference setUninstallURL corresponds to web site with proper functionality. (7) can be exploited to access arbitrary URL after specially designed application uninstallation.
Vulnerability (9) have some requisitions to be exploited. As Chrome does not restricts display of Unicide LOCK symbol attacker can spoof SSL lock icon by placing special symbol at end of URL at localizations with right-to-left languages.
(10) can be exploited via nested IPC messages during preparation for printing.
(11) can be exploited via matrix element which causes infinite result during calculation of inversion.
Exploitation of (12) leads to bypass Same Origin policy.
(13) caused by lack of check if DOM node is expected and leads to bypassing Same Origin Policy via DOM tree corruption.
CVE-2015-1299 critical
CVE-2015-1300 critical
CVE-2015-1301 critical
CVE-2015-6581 critical
CVE-2015-1295 critical
CVE-2015-1296 critical
CVE-2015-1297 critical
CVE-2015-1298 warning
CVE-2015-6582 high
CVE-2015-6583 warning
CVE-2015-6580 critical
CVE-2015-1294 critical
CVE-2015-1291 high
CVE-2015-1292 critical
CVE-2015-1293 critical
Update to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk.
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.