Multiple vulnerabilities in Chrome
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2013-6656 CVE-2013-6657 CVE-2013-6658 CVE-2013-6659 CVE-2013-6660 CVE-2013-6661 CVE-2013-6653 CVE-2013-6654 CVE-2013-6655 |
| CWE-ID | CWE-79 CWE-399 CWE-310 CWE-264 CWE-20 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU42012
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-6656
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=331725
https://src.chromium.org/viewvc/blink?revision=164749&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU42013
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-6657
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via unspecified vectors. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=331060
https://src.chromium.org/viewvc/blink?revision=164538&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU42014
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6658
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving (1) running JavaScript code during execution of the updateWidgetPositions function or (2) making a call into a plugin during execution of the updateWidgetPositions function.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=322891
https://src.chromium.org/viewvc/blink?revision=165052&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cryptographic issues
EUVDB-ID: #VU42015
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6659
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The SSLClientSocketNSS::Core::OwnAuthCertHandler function in net/socket/ssl_client_socket_nss.cc in Google Chrome before 33.0.1750.117 does not prevent changes to server X.509 certificates during renegotiations, which allows remote SSL servers to trigger use of a new certificate chain, inconsistent with the user's expectations, by initiating a TLS renegotiation.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=306959
https://src.chromium.org/viewvc/chrome?revision=229611&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42016
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6660
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The drag-and-drop implementation in Google Chrome before 33.0.1750.117 does not properly restrict the information in WebDropData data structures, which allows remote attackers to discover full pathnames via a crafted web site.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=332579
https://src.chromium.org/viewvc/chrome?revision=244538&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU42017
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6661
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple unspecified vulnerabilities in Google Chrome before 33.0.1750.117 allow attackers to bypass the sandbox protection mechanism after obtaining renderer access, or have other impact, via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=294687
https://code.google.com/p/chromium/issues/detail?id=312016
https://code.google.com/p/chromium/issues/detail?id=313005
https://code.google.com/p/chromium/issues/detail?id=314088
https://code.google.com/p/chromium/issues/detail?id=324812
https://code.google.com/p/chromium/issues/detail?id=326860
https://code.google.com/p/chromium/issues/detail?id=328620
https://code.google.com/p/chromium/issues/detail?id=329651
https://code.google.com/p/chromium/issues/detail?id=330222
https://code.google.com/p/chromium/issues/detail?id=330750
https://code.google.com/p/chromium/issues/detail?id=332957
https://code.google.com/p/chromium/issues/detail?id=333885
https://code.google.com/p/chromium/issues/detail?id=334274
https://code.google.com/p/chromium/issues/detail?id=338464
https://code.google.com/p/chromium/issues/detail?id=338532
https://code.google.com/p/chromium/issues/detail?id=338561
https://code.google.com/p/chromium/issues/detail?id=339337
https://code.google.com/p/chromium/issues/detail?id=341220
https://code.google.com/p/chromium/issues/detail?id=344876
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU42019
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6653
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors involving attempted conflicting access to the color chooser. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=331790
https://src.chromium.org/viewvc/chrome?revision=244710&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU42020
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6654
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The SVGAnimateElement::calculateAnimatedValue function in core/svg/SVGAnimateElement.cpp in Blink, as used in Google Chrome before 33.0.1750.117, does not properly handle unexpected data types, which allows remote attackers to cause a denial of service (incorrect cast) or possibly have unspecified other impact via unknown vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=333176
https://src.chromium.org/viewvc/blink?revision=165009&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU42021
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-6655
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to improper handling of overflowchanged DOM events during interaction between JavaScript and layout. A remote attackers can cause a denial of service or possibly have unspecified other impact.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 33.0.1750.0 - 33.0.1750.115
CPE2.3- cpe:2.3:a:google:google_chrome:33.0.1750.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:google_chrome:33.0.1750.2:*:*:*:*:*:*:*
https://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html
https://lists.opensuse.org/opensuse-updates/2014-03/msg00006.html
https://www.debian.org/security/2014/dsa-2883
https://code.google.com/p/chromium/issues/detail?id=293534
https://src.chromium.org/viewvc/blink?revision=162655&view=revision
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
