CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Google » Chrome : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-7294 264 2011-08-09 2012-08-02
5.8
None Remote Medium Not required None Partial Partial
Google Chrome before 4.0.211.0 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.
2 CVE-2009-2060 287 2009-06-15 2017-08-17
5.8
None Remote Medium Not required Partial Partial None
src/net/http/http_transaction_winhttp.cc in Google Chrome before 1.0.154.53 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.
3 CVE-2011-1446 2011-05-03 2020-05-22
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 11.0.696.57 allows remote attackers to spoof the URL bar via vectors involving (1) a navigation error or (2) an interrupted load.
4 CVE-2011-1452 20 2011-05-03 2020-05-22
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 11.0.696.57 allows user-assisted remote attackers to spoof the URL bar via vectors involving a redirect and a manual reload.
5 CVE-2011-1814 824 DoS 2011-06-09 2020-05-22
5.8
None Remote Medium Not required Partial None Partial
Google Chrome before 12.0.742.91 attempts to read data from an uninitialized pointer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
6 CVE-2011-3061 295 +Info 2012-03-30 2020-04-14
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 18.0.1025.142 does not properly check X.509 certificates before use of a SPDY proxy, which might allow man-in-the-middle attackers to spoof servers or obtain sensitive information via a crafted certificate.
7 CVE-2011-3964 20 2012-02-09 2020-04-17
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 17.0.963.46 does not properly implement the drag-and-drop feature, which makes it easier for remote attackers to spoof the URL bar via unspecified vectors.
8 CVE-2013-2879 200 +Info 2013-07-10 2017-09-19
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 28.0.1500.71 does not properly determine the circumstances in which a renderer process can be considered a trusted process for sign-in and subsequent sync operations, which makes it easier for remote attackers to conduct phishing attacks via a crafted web site.
9 CVE-2013-2881 264 Bypass 2013-07-31 2017-09-19
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 28.0.1500.95 does not properly handle frames, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
10 CVE-2013-6666 264 Bypass 2014-03-05 2017-01-07
5.8
None Remote Medium Not required Partial Partial None
The PepperFlashRendererHost::OnNavigate function in renderer/pepper/pepper_flash_renderer_host.cc in Google Chrome before 33.0.1750.146 does not verify that all headers are Cross-Origin Resource Sharing (CORS) simple headers before proceeding with a PPB_Flash.Navigate operation, which might allow remote attackers to bypass intended CORS restrictions via an inappropriate header.
11 CVE-2013-6802 264 Bypass 2013-11-18 2018-12-13
5.8
None Remote Medium Not required Partial Partial None
Google Chrome before 31.0.1650.57 allows remote attackers to bypass intended sandbox restrictions by leveraging access to a renderer process, as demonstrated during a Mobile Pwn2Own competition at PacSec 2013, a different vulnerability than CVE-2013-6632.
12 CVE-2016-1651 200 DoS +Info 2016-04-18 2018-10-30
5.8
None Remote Medium Not required Partial None Partial
fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document.
13 CVE-2018-6034 125 2018-09-25 2018-11-13
5.8
None Remote Medium Not required Partial None Partial
Insufficient data validation in WebGL in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
14 CVE-2018-6110 20 2019-01-09 2019-01-30
5.8
None Remote Medium Not required Partial Partial None
Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page.
15 CVE-2018-6138 20 Bypass 2019-06-27 2019-06-28
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in Extensions API in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
16 CVE-2018-10229 200 +Info 2018-05-04 2019-10-03
5.8
None Remote Medium Not required Partial Partial None
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
17 CVE-2018-16086 285 Bypass 2019-06-27 2019-07-01
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
18 CVE-2019-5755 189 2019-02-19 2019-04-17
5.8
None Remote Medium Not required Partial Partial None
Incorrect handling of negative zero in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.
19 CVE-2019-5823 601 Bypass 2019-06-27 2019-07-25
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
20 CVE-2019-5849 125 +Info 2019-11-25 2019-11-27
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
21 CVE-2019-5881 125 +Info 2019-11-25 2019-12-02
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
22 CVE-2020-6394 20 Bypass 2020-02-11 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.
23 CVE-2020-6411 20 2020-02-11 2020-02-12
5.8
None Remote Medium Not required Partial Partial None
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
24 CVE-2020-6412 20 2020-02-11 2020-02-17
5.8
None Remote Medium Not required Partial Partial None
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
25 CVE-2020-6425 20 Bypass 2020-03-23 2020-03-25
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.
26 CVE-2020-16041 125 +Info 2021-01-08 2021-03-04
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in networking in Google Chrome prior to 87.0.4280.88 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
27 CVE-2021-21125 287 Bypass 2021-02-09 2021-03-08
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
28 CVE-2021-21205 Bypass 2021-04-26 2021-06-03
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
29 CVE-2021-30511 125 2021-06-04 2021-12-02
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Tab Groups in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted HTML page.
30 CVE-2021-30536 125 2021-06-07 2021-12-01
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in V8 in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.
31 CVE-2021-30539 863 Bypass 2021-06-07 2021-12-01
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
32 CVE-2021-30593 125 2021-08-26 2021-11-30
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Tab Strip in Google Chrome prior to 92.0.4515.131 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted HTML page.
33 CVE-2021-37958 2021-10-08 2022-01-15
5.8
None Remote Medium Not required Partial Partial None
Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
34 CVE-2016-1683 119 DoS Overflow 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.
35 CVE-2016-1684 DoS Overflow 2016-06-05 2017-07-01
5.1
None Remote High Not required Partial Partial Partial
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
36 CVE-2016-1690 DoS 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
The Autofill implementation in Google Chrome before 51.0.2704.63 mishandles the interaction between field updates and JavaScript code that triggers a frame deletion, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted web site, a different vulnerability than CVE-2016-1701.
37 CVE-2016-1691 119 DoS Overflow 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
Skia, as used in Google Chrome before 51.0.2704.63, mishandles coincidence runs, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted curves, related to SkOpCoincidence.cpp and SkPathOpsCommon.cpp.
38 CVE-2016-1700 DoS 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
extensions/renderer/runtime_custom_bindings.cc in Google Chrome before 51.0.2704.79 does not consider side effects during creation of an array of extension views, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to extensions.
39 CVE-2018-6061 362 2018-11-14 2018-12-19
5.1
None Remote High Not required Partial Partial Partial
A race in the handling of SharedArrayBuffers in WebAssembly in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
40 CVE-2018-6101 20 Exec Code 2018-12-04 2019-03-01
5.1
None Remote High Not required Partial Partial Partial
A lack of host validation in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page, if the user is running a remote DevTools debugging server.
41 CVE-2018-6158 362 2019-01-09 2019-01-14
5.1
None Remote High Not required Partial Partial Partial
A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
42 CVE-2019-5796 362 2019-05-23 2021-07-21
5.1
None Remote High Not required Partial Partial Partial
Data race in extensions guest view in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
43 CVE-2020-6575 362 2020-09-21 2021-01-27
5.1
None Remote High Not required Partial Partial Partial
Race in Mojo in Google Chrome prior to 85.0.4183.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
44 CVE-2021-30603 362 2021-08-26 2021-11-30
5.1
None Remote High Not required Partial Partial Partial
Data race in WebAudio in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
45 CVE-2021-37991 362 2021-11-02 2022-01-15
5.1
None Remote High Not required Partial Partial Partial
Race in V8 in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
46 CVE-2008-6996 DoS 2009-08-19 2018-10-11
5.0
None Remote Low Not required None None Partial
Google Chrome BETA (0.2.149.27) does not prompt the user before saving an executable file, which makes it easier for remote attackers or malware to cause a denial of service (disk consumption) or exploit other vulnerabilities via a URL that references an executable file, possibly related to the "ask where to save each file before downloading" setting.
47 CVE-2008-7246 399 DoS 2009-09-18 2018-10-11
5.0
None Remote Low Not required None None Partial
Google Chrome 0.2.149.29 and earlier allows remote attackers to cause a denial of service (unusable browser) by calling the window.print function in a loop, aka a "printing DoS attack," possibly a related issue to CVE-2009-0821.
48 CVE-2009-0276 Bypass 2009-02-03 2009-02-04
5.0
None Remote Low Not required Partial None None
Cross-domain vulnerability in the V8 JavaScript engine in Google Chrome before 1.0.154.46 allows remote attackers to bypass the Same Origin Policy via a crafted script that accesses another frame and reads its full URL and possibly other sensitive information, or modifies the URL of this frame.
49 CVE-2009-0411 264 +Info 2009-02-03 2017-08-08
5.0
None Remote Low Not required Partial None None
Google Chrome before 1.0.154.46 does not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls and other web script.
50 CVE-2009-1514 399 DoS 2009-05-04 2017-09-29
5.0
None Remote Low Not required None None Partial
Google Chrome 1.0.154.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a throw statement with a long exception value.
Total number of vulnerabilities : 225   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.