Vulnerabilities > Google > Chrome > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-09-25 CVE-2016-5174 Improper Input Validation vulnerability in Google Chrome
browser/ui/cocoa/browser_window_controller_private.mm in Google Chrome before 53.0.2785.113 does not process fullscreen toggle requests during a fullscreen transition, which allows remote attackers to cause a denial of service (unsuppressed popup) via a crafted web site.
network
low complexity
google CWE-20
6.5
2016-09-25 CVE-2016-5172 Information Exposure vulnerability in multiple products
The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code.
network
low complexity
google nodejs debian CWE-200
6.5
2016-09-11 CVE-2016-5165 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in the Developer Tools (aka DevTools) subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allows remote attackers to inject arbitrary web script or HTML via the settings parameter in a chrome-devtools-frontend.appspot.com URL's query string.
network
low complexity
google opensuse CWE-79
6.1
2016-09-11 CVE-2016-5164 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in WebKit/Source/platform/v8_inspector/V8Debugger.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML into the Developer Tools (aka DevTools) subsystem via a crafted web site, aka "Universal XSS (UXSS)."
network
low complexity
google opensuse CWE-79
6.1
2016-09-11 CVE-2016-5163 7PK - Security Features vulnerability in multiple products
The bidirectional-text implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not ensure left-to-right (LTR) rendering of URLs, which allows remote attackers to spoof the address bar via crafted right-to-left (RTL) Unicode text, related to omnibox/SuggestionView.java and omnibox/UrlBar.java in Chrome for Android.
network
low complexity
google opensuse CWE-254
4.3
2016-09-11 CVE-2016-5162 7PK - Security Features vulnerability in multiple products
The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5160.
network
low complexity
opensuse google CWE-254
6.5
2016-09-11 CVE-2016-5160 7PK - Security Features vulnerability in multiple products
The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5162.
network
low complexity
opensuse google CWE-254
6.5
2016-09-11 CVE-2016-5155 7PK - Security Features vulnerability in multiple products
Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly validate access to the initial document, which allows remote attackers to spoof the address bar via a crafted web site.
network
low complexity
google opensuse CWE-254
6.5
2016-09-11 CVE-2016-5148 Cross-site Scripting vulnerability in Google Chrome
Cross-site scripting (XSS) vulnerability in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allows remote attackers to inject arbitrary web script or HTML via vectors related to widget updates, aka "Universal XSS (UXSS)."
network
low complexity
google CWE-79
6.1
2016-09-11 CVE-2016-5147 Cross-site Scripting vulnerability in Google Chrome
Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles deferred page loads, which allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."
network
low complexity
google CWE-79
6.1