Vulnerabilities > Google > Chrome > 48.0.2564.103

DATE CVE VULNERABILITY TITLE RISK
2016-07-23 CVE-2016-5137 Information Exposure vulnerability in Google Chrome
The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.
network
low complexity
google CWE-200
4.3
2016-07-23 CVE-2016-5136 Use After Free vulnerability in Google Chrome
Use-after-free vulnerability in extensions/renderer/user_script_injector.cc in the Extensions subsystem in Google Chrome before 52.0.2743.82 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to script deletion.
network
low complexity
google CWE-416
8.8
2016-07-23 CVE-2016-5135 Improper Input Validation vulnerability in Google Chrome
WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a "Content-Security-Policy: referrer origin-when-cross-origin" header that overrides a "<META name='referrer' content='no-referrer'>" element.
network
low complexity
google CWE-20
6.5
2016-07-23 CVE-2016-5134 Information Exposure vulnerability in Google Chrome
net/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in Google Chrome before 52.0.2743.82 does not ensure that URL information is restricted to a scheme, host, and port, which allows remote attackers to discover credentials by operating a server with a PAC script, a related issue to CVE-2016-3763.
network
low complexity
google CWE-200
8.8
2016-07-23 CVE-2016-5133 Improper Authentication vulnerability in Google Chrome
Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream.
network
high complexity
google CWE-287
5.3
2016-07-23 CVE-2016-5132 7PK - Security Features vulnerability in Google Chrome
The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME element.
network
low complexity
google CWE-254
8.8
2016-07-23 CVE-2016-5131 Use After Free vulnerability in multiple products
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
8.8
2016-07-23 CVE-2016-5130 Improper Access Control vulnerability in Google Chrome
content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site.
network
low complexity
google CWE-284
6.5
2016-07-23 CVE-2016-5128 7PK - Security Features vulnerability in Google Chrome
objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
network
low complexity
google CWE-254
8.8
2016-07-23 CVE-2016-5127 Use After Free vulnerability in Google Chrome
Use-after-free vulnerability in WebKit/Source/core/editing/VisibleUnits.cpp in Blink, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code involving an @import at-rule in a Cascading Style Sheets (CSS) token sequence in conjunction with a rel=import attribute of a LINK element.
network
high complexity
google CWE-416
7.5