INFESA-2024:0006: chromium security update (Important)
Information about definition
Identificator: INFESA-2024:0006
Type: security
Release date: 2024-10-23 11:18:23 UTC
Information about package
Chromium is an open-source web browser, powered by WebKit (Blink)
Vulnerabilities description
- CVE-2024-9954
Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2024-9955
Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9956
Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9957
Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9958
Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9959
Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium)
- CVE-2024-9960
Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9961
Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9962
Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9963
Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2024-9964
Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)
- CVE-2024-9965
Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)
- CVE-2024-9966
Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-9954
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9955
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9956
|
no information | 7.8 | no information |
|
NIST — CVE-2024-9957
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9958
|
no information | 4.3 | no information |
|
NIST — CVE-2024-9959
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9960
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9961
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9962
|
no information | 4.3 | no information |
|
NIST — CVE-2024-9963
|
no information | 4.3 | no information |
|
NIST — CVE-2024-9964
|
no information | 4.3 | no information |
|
NIST — CVE-2024-9965
|
no information | 8.8 | no information |
|
NIST — CVE-2024-9966
|
no information | 5.3 | no information |
Updated packages