Vulnerabilities > Google > Chrome > 2.0.172.38

DATE CVE VULNERABILITY TITLE RISK
2010-02-18 CVE-2010-0643 Information Exposure vulnerability in Google Chrome
Google Chrome before 4.0.249.89 attempts to make direct connections to web sites when all configured proxy servers are unavailable, which allows remote HTTP servers to obtain potentially sensitive information about the identity of a client user via standard HTTP logging, as demonstrated by a proxy server that was configured for the purpose of anonymity.
network
google CWE-200
4.3
2010-02-18 CVE-2010-0556 Credentials Management vulnerability in Google Chrome
browser/login/login_prompt.cc in Google Chrome before 4.0.249.89 populates an authentication dialog with credentials that were stored by Password Manager for a different web site, which allows user-assisted remote HTTP servers to obtain sensitive information via a URL that requires authentication, as demonstrated by a URL in the SRC attribute of an IMG element.
network
google CWE-255
4.3
2010-01-14 CVE-2010-0315 Multiple Security vulnerability in Google Chrome prior to 4.0.249.89
WebKit before r53607, as used in Google Chrome before 4.0.249.89, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element.
network
low complexity
google
5.0
2009-11-13 CVE-2009-2816 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.
6.8
2009-11-12 CVE-2009-3934 Unspecified vulnerability in Google Chrome
The WebFrameLoaderClient::dispatchDidChangeLocationWithinPage function in src/webkit/glue/webframeloaderclient_impl.cc in Google Chrome before 3.0.195.32 allows user-assisted remote attackers to cause a denial of service via a page-local link, related to an "empty redirect chain," as demonstrated by a message in Yahoo! Mail.
network
google
4.3
2009-11-12 CVE-2009-3933 Resource Management Errors vulnerability in Webkit 2.4.11
WebKit before r50173, as used in Google Chrome before 3.0.195.32, allows remote attackers to cause a denial of service (CPU consumption) via a web page that calls the JavaScript setInterval method, which triggers an incompatibility between the WTF::currentTime and base::Time functions.
network
low complexity
webkit google CWE-399
5.0
2009-11-12 CVE-2009-3932 Denial-Of-Service vulnerability in Chrome
The Gears plugin in Google Chrome before 3.0.195.32 allows user-assisted remote attackers to cause a denial of service (memory corruption and plugin crash) or possibly execute arbitrary code via unspecified use of the Gears SQL API, related to putting "SQL metadata into a bad state."
network
google
critical
9.3
2009-11-12 CVE-2009-3931 Improper Input Validation vulnerability in Google Chrome
Incomplete blacklist vulnerability in browser/download/download_exe.cc in Google Chrome before 3.0.195.32 allows remote attackers to force the download of certain dangerous files via a "Content-Disposition: attachment" designation, as demonstrated by (1) .mht and (2) .mhtml files, which are automatically executed by Internet Explorer 6; (3) .svg files, which are automatically executed by Safari; (4) .xml files; (5) .htt files; (6) .xsl files; (7) .xslt files; and (8) image files that are forbidden by the victim's site policy.
network
google CWE-20
critical
9.3
2009-09-29 CVE-2009-3456 Cryptographic Issues vulnerability in Google Chrome
Google Chrome, possibly 3.0.195.21 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
network
low complexity
google CWE-310
7.5
2009-09-18 CVE-2009-3264 Permissions, Privileges, and Access Controls vulnerability in Google Chrome
The getSVGDocument method in Google Chrome before 3.0.195.21 omits an unspecified "access check," which allows remote web servers to bypass the Same Origin Policy and conduct cross-site scripting attacks via unknown vectors, related to a user's visit to a different web server that hosts an SVG document.
network
google CWE-264
4.3