Vulnerabilities > Google > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-08-05 CVE-2016-3827 Encoding Error vulnerability in Google Android
codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in Android 6.0.1 before 2016-08-01 mishandles decoder errors, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28816956.
local
low complexity
google CWE-172
5.5
2016-07-23 CVE-2016-5137 Information Exposure vulnerability in Google Chrome
The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.
network
low complexity
google CWE-200
4.3
2016-07-23 CVE-2016-5135 Improper Input Validation vulnerability in Google Chrome
WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a "Content-Security-Policy: referrer origin-when-cross-origin" header that overrides a "<META name='referrer' content='no-referrer'>" element.
network
low complexity
google CWE-20
6.5
2016-07-23 CVE-2016-5133 Improper Authentication vulnerability in Google Chrome
Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream.
network
high complexity
google CWE-287
5.3
2016-07-23 CVE-2016-5130 Improper Access Control vulnerability in Google Chrome
content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site.
network
low complexity
google CWE-284
6.5
2016-07-23 CVE-2016-1707 Improper Input Validation vulnerability in Google Chrome
ios/web/web_state/ui/crw_web_controller.mm in Google Chrome before 52.0.2743.82 on iOS does not ensure that an invalid URL is replaced with the about:blank URL, which allows remote attackers to spoof the URL display via a crafted web site.
network
low complexity
google CWE-20
6.5
2016-07-11 CVE-2016-3818 Improper Access Control vulnerability in Google Android
libc in Android 4.x before 4.4.4 allows remote attackers to cause a denial of service (device hang or reboot) via a crafted file, aka internal bug 28740702.
local
low complexity
google CWE-284
5.5
2016-07-11 CVE-2016-3816 Information Exposure vulnerability in Google Android
The MediaTek display driver in Android before 2016-07-05 on Android One devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28402240.
local
low complexity
google CWE-200
5.5
2016-07-11 CVE-2016-3815 Information Exposure vulnerability in Google Android
The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28522274.
local
low complexity
google CWE-200
5.5
2016-07-11 CVE-2016-3814 Information Exposure vulnerability in Google Android
The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28193342.
local
low complexity
google CWE-200
5.5