Multiple vulnerabilities in Google Chrome



Risk High
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2024-11110
CVE-2024-11111
CVE-2024-11112
CVE-2024-11113
CVE-2024-11114
CVE-2024-11115
CVE-2024-11116
CVE-2024-11117
CWE-ID CWE-358
CWE-416
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Improperly implemented security check for standard

EUVDB-ID: #VU100313

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11110

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/373263969


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improperly implemented security check for standard

EUVDB-ID: #VU100314

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11111

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/360520331


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU100315

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11112

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Media in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/354824998


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU100316

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11113

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Accessibility in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/360274917


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improperly implemented security check for standard

EUVDB-ID: #VU100317

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11114

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Views in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/370856871


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU100318

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11115

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Navigation in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/371929521


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

EUVDB-ID: #VU100319

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11116

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Paint in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/40942531


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improperly implemented security check for standard

EUVDB-ID: #VU100320

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-11117

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in FileSystem in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Google Chrome: 100.0.4896.60 - 130.0.6723.117

CPE2.3 External links

http://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html
http://crbug.com/40062534


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###