CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Google » Chrome : Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-37991 362 2021-11-02 2021-11-04
5.1
None Remote High Not required Partial Partial Partial
Race in V8 in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
2 CVE-2021-37958 2021-10-08 2021-11-24
5.8
None Remote Medium Not required Partial Partial None
Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.
3 CVE-2021-30603 362 2021-08-26 2021-09-24
5.1
None Remote High Not required Partial Partial Partial
Data race in WebAudio in Google Chrome prior to 92.0.4515.159 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
4 CVE-2021-30593 125 2021-08-26 2021-09-24
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Tab Strip in Google Chrome prior to 92.0.4515.131 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted HTML page.
5 CVE-2021-30539 863 Bypass 2021-06-07 2021-07-18
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page.
6 CVE-2021-30536 125 2021-06-07 2021-07-18
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in V8 in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.
7 CVE-2021-30511 125 2021-06-04 2021-07-18
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Tab Groups in Google Chrome prior to 90.0.4430.212 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted HTML page.
8 CVE-2021-21205 Bypass 2021-04-26 2021-06-03
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
9 CVE-2021-21172 Bypass 2021-03-09 2021-05-01
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
10 CVE-2021-21125 287 Bypass 2021-02-09 2021-03-08
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.
11 CVE-2020-16041 125 +Info 2021-01-08 2021-03-04
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in networking in Google Chrome prior to 87.0.4280.88 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
12 CVE-2020-6575 362 2020-09-21 2021-01-27
5.1
None Remote High Not required Partial Partial Partial
Race in Mojo in Google Chrome prior to 85.0.4183.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
13 CVE-2020-6425 20 Bypass 2020-03-23 2020-03-25
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.149 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension.
14 CVE-2020-6412 20 2020-02-11 2020-02-17
5.8
None Remote Medium Not required Partial Partial None
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
15 CVE-2020-6411 20 2020-02-11 2020-02-12
5.8
None Remote Medium Not required Partial Partial None
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
16 CVE-2020-6394 20 Bypass 2020-02-11 2021-07-21
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page.
17 CVE-2019-13711 200 +Info 2019-11-25 2021-07-21
5.0
None Remote Low Not required Partial None None
Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
18 CVE-2019-13680 2019-11-25 2020-08-24
5.0
None Remote Low Not required None Partial None
Inappropriate implementation in TLS in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to spoof client IP address to websites via crafted TLS connections.
19 CVE-2019-5881 125 +Info 2019-11-25 2019-12-02
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in SwiftShader in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
20 CVE-2019-5849 125 +Info 2019-11-25 2019-11-27
5.8
None Remote Medium Not required Partial None Partial
Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
21 CVE-2019-5823 601 Bypass 2019-06-27 2019-07-25
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
22 CVE-2019-5796 362 2019-05-23 2021-07-21
5.1
None Remote High Not required Partial Partial Partial
Data race in extensions guest view in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
23 CVE-2019-5755 189 2019-02-19 2019-04-17
5.8
None Remote Medium Not required Partial Partial None
Incorrect handling of negative zero in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.
24 CVE-2018-16086 285 Bypass 2019-06-27 2019-07-01
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
25 CVE-2018-10229 200 +Info 2018-05-04 2019-10-03
5.8
None Remote Medium Not required Partial Partial None
A hardware vulnerability in GPU memory modules allows attackers to accelerate micro-architectural attacks through the use of the JavaScript WebGL API.
26 CVE-2018-6158 362 2019-01-09 2019-01-14
5.1
None Remote High Not required Partial Partial Partial
A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
27 CVE-2018-6138 20 Bypass 2019-06-27 2019-06-28
5.8
None Remote Medium Not required Partial Partial None
Insufficient policy enforcement in Extensions API in Google Chrome prior to 67.0.3396.62 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
28 CVE-2018-6110 20 2019-01-09 2019-01-30
5.8
None Remote Medium Not required Partial Partial None
Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page.
29 CVE-2018-6101 20 Exec Code 2018-12-04 2019-03-01
5.1
None Remote High Not required Partial Partial Partial
A lack of host validation in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page, if the user is running a remote DevTools debugging server.
30 CVE-2018-6061 362 2018-11-14 2018-12-19
5.1
None Remote High Not required Partial Partial Partial
A race in the handling of SharedArrayBuffers in WebAssembly in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
31 CVE-2018-6034 125 2018-09-25 2018-11-13
5.8
None Remote Medium Not required Partial None Partial
Insufficient data validation in WebGL in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
32 CVE-2017-15423 310 2018-08-28 2018-11-02
5.0
None Remote Low Not required Partial None None
Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to leak the low-order bits of SHA512(password) by inspecting protocol traffic.
33 CVE-2016-7153 200 +Info 2016-09-06 2017-02-19
5.0
None Remote Low Not required Partial None None
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
34 CVE-2016-7152 200 +Info 2016-09-06 2017-02-19
5.0
None Remote Low Not required Partial None None
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
35 CVE-2016-5168 346 Bypass +Info 2017-04-21 2017-04-27
5.0
None Remote Low Not required Partial None None
Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.
36 CVE-2016-5141 20 2016-08-07 2017-07-01
5.0
None Remote Low Not required None Partial None
Blink, as used in Google Chrome before 52.0.2743.116, allows remote attackers to spoof the address bar via vectors involving a provisional URL for an initially empty document, related to FrameLoader.cpp and ScopedPageLoadDeferrer.cpp.
37 CVE-2016-2845 200 +Info 2016-03-06 2016-12-03
5.0
None Remote Low Not required Partial None None
The Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 49.0.2623.75, does not ignore a URL's path component in the case of a ServiceWorker fetch, which allows remote attackers to obtain sensitive information about visited web pages by reading CSP violation reports, related to FrameFetchContext.cpp and ResourceFetcher.cpp.
38 CVE-2016-1700 DoS 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
extensions/renderer/runtime_custom_bindings.cc in Google Chrome before 51.0.2704.79 does not consider side effects during creation of an array of extension views, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to extensions.
39 CVE-2016-1691 119 DoS Overflow 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
Skia, as used in Google Chrome before 51.0.2704.63, mishandles coincidence runs, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted curves, related to SkOpCoincidence.cpp and SkPathOpsCommon.cpp.
40 CVE-2016-1690 DoS 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
The Autofill implementation in Google Chrome before 51.0.2704.63 mishandles the interaction between field updates and JavaScript code that triggers a frame deletion, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted web site, a different vulnerability than CVE-2016-1701.
41 CVE-2016-1684 DoS Overflow 2016-06-05 2017-07-01
5.1
None Remote High Not required Partial Partial Partial
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document.
42 CVE-2016-1683 119 DoS Overflow 2016-06-05 2018-10-30
5.1
None Remote High Not required Partial Partial Partial
numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.
43 CVE-2016-1651 200 DoS +Info 2016-04-18 2018-10-30
5.8
None Remote Medium Not required Partial None Partial
fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document.
44 CVE-2015-6759 200 +Info 2015-10-15 2016-12-24
5.0
None Remote Low Not required Partial None None
The shouldTreatAsUniqueOrigin function in platform/weborigin/SecurityOrigin.cpp in Blink, as used in Google Chrome before 46.0.2490.71, does not ensure that the origin of a LocalStorage resource is considered unique, which allows remote attackers to obtain sensitive information via vectors involving a blob: URL.
45 CVE-2015-5605 17 DoS Overflow 2015-07-23 2018-10-30
5.0
None Remote Low Not required None None Partial
The regular-expression implementation in Google V8, as used in Google Chrome before 44.0.2403.89, mishandles interrupts, which allows remote attackers to cause a denial of service (application crash) via crafted JavaScript code, as demonstrated by an error in garbage collection during allocation of a stack-overflow exception message.
46 CVE-2015-1300 254 +Info 2015-09-03 2016-12-22
5.0
None Remote Low Not required Partial None None
The FrameFetchContext::updateTimingInfoForIFrameNavigation function in core/loader/FrameFetchContext.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to obtain sensitive information via crafted JavaScript code that leverages a history.back call.
47 CVE-2015-1296 254 2015-09-03 2016-12-22
5.0
None Remote Low Not required None Partial None
The UnescapeURLWithAdjustmentsImpl implementation in net/base/escape.cc in Google Chrome before 45.0.2454.85 does not prevent display of Unicode LOCK characters in the omnibox, which makes it easier for remote attackers to spoof the SSL lock icon by placing one of these characters at the end of a URL, as demonstrated by the omnibox in localizations for right-to-left languages.
48 CVE-2015-1292 264 Bypass 2015-09-03 2016-12-22
5.0
None Remote Low Not required Partial None None
The NavigatorServiceWorker::serviceWorker function in modules/serviceworkers/NavigatorServiceWorker.cpp in Blink, as used in Google Chrome before 45.0.2454.85, allows remote attackers to bypass the Same Origin Policy by accessing a Service Worker.
49 CVE-2015-1285 200 XSS +Info 2015-07-23 2018-10-30
5.0
None Remote Low Not required Partial None None
The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor.cpp in the XSS auditor in Blink, as used in Google Chrome before 44.0.2403.89, does not properly choose a truncation point, which makes it easier for remote attackers to obtain sensitive information via an unspecified linear-time attack.
50 CVE-2015-1268 254 Bypass 2015-06-26 2016-12-31
5.0
None Remote Low Not required None Partial None
bindings/scripts/v8_types.py in Blink, as used in Google Chrome before 43.0.2357.130, does not properly select a creation context for a return value's DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code, as demonstrated by use of a data: URL.
Total number of vulnerabilities : 225   Page : 1 (This Page)2 3 4 5
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.