Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Medium)

The remote host is affected by the vulnerability described in GLSA-202305-10 (Chromium, Google Chrome, Microsoft Edge:
Multiple Vulnerabilities)

  - Use after free in Skia in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3445)

  - Heap buffer overflow in WebSQL in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-3446)

  - Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a     remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security     severity: High) (CVE-2022-3447)

  - Use after free in Permissions API in Google Chrome prior to 106.0.5249.119 allowed a remote attacker who     convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted     HTML page. (Chromium security severity: High) (CVE-2022-3448)

  - Use after free in Safe Browsing in Google Chrome prior to 106.0.5249.119 allowed an attacker who convinced     a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome     Extension. (Chromium security severity: High) (CVE-2022-3449)

  - Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-3450)

  - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)

  - Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had     compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
    (Chromium security severity: High) (CVE-2022-4135)

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71     allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially     exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

  - Use after free in Blink Media in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4436)

  - Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4437)

  - Use after free in Blink Frames in Google Chrome prior to 108.0.5359.124 allowed a remote attacker who     convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a     crafted HTML page. (Chromium security severity: High) (CVE-2022-4438)

  - Use after free in Aura in Google Chrome on Windows prior to 108.0.5359.124 allowed a remote attacker who     convinced the user to engage in specific UI interactions to potentially exploit heap corruption via     specific UI interactions. (Chromium security severity: High) (CVE-2022-4439)

  - Use after free in Profiles in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4440)

  - Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability. (CVE-2022-41115)

  - Microsoft Edge (Chromium-based) Spoofing Vulnerability (CVE-2022-44688)

  - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. (CVE-2022-44708)

  - Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote     attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption     via a crafted HTML page. (Chromium security severity: High) (CVE-2023-0128)

  - Heap buffer overflow in Network Service in Google Chrome prior to 109.0.5414.74 allowed an attacker who     convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted     HTML page and specific interactions. (Chromium security severity: High) (CVE-2023-0129)

  - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74     allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
    (Chromium security severity: Medium) (CVE-2023-0130)

  - Inappropriate implementation in in iframe Sandbox in Google Chrome prior to 109.0.5414.74 allowed a remote     attacker to bypass file download restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2023-0131)

  - Inappropriate implementation in in Permission prompts in Google Chrome on Windows prior to 109.0.5414.74     allowed a remote attacker to force acceptance of a permission prompt via a crafted HTML page. (Chromium     security severity: Medium) (CVE-2023-0132)

  - Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74     allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium     security severity: Medium) (CVE-2023-0133)

  - Use after free in Cart in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via database corruption and a crafted     HTML page. (Chromium security severity: Medium) (CVE-2023-0134, CVE-2023-0135)

  - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74     allowed a remote attacker to execute incorrect security UI via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2023-0136)

  - Heap buffer overflow in Platform Apps in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed an     attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via     a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0137)

  - Heap buffer overflow in libphonenumber in Google Chrome prior to 109.0.5414.74 allowed a remote attacker     to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)     (CVE-2023-0138)

  - Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 109.0.5414.74     allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security     severity: Low) (CVE-2023-0139)

  - Inappropriate implementation in in File System API in Google Chrome on Windows prior to 109.0.5414.74     allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security     severity: Low) (CVE-2023-0140)

  - Insufficient policy enforcement in CORS in Google Chrome prior to 109.0.5414.74 allowed a remote attacker     to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0141)

  - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. (CVE-2023-21719)

  - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (CVE-2023-21775)

  - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability (CVE-2023-21795, CVE-2023-21796)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Microsoft Edge installed on the remote Windows host is prior to 108.0.1462.42. It is, therefore, affected by multiple vulnerabilities as referenced in the December 5, 2022 advisory.

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)

  - Microsoft Edge (Chromium-based) Spoofing Vulnerability. (CVE-2022-44688)

  - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. (CVE-2022-44708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Microsoft Edge installed on the remote Windows host is prior to 108.0.1462.41. It is, therefore, affected by multiple vulnerabilities as referenced in the December 5, 2022 advisory.

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4262)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5293 advisory.

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71     allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially     exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10229-1 advisory.

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71     allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially     exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5f7ed6ea-70a7-11ed-92ce-3065ec8fd3ec advisory.

  - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)

  - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71     allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially     exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)

  - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a     user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI     interaction. (Chromium security severity: High) (CVE-2022-4177)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: High) (CVE-2022-4178)

  - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user     to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4179)

  - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to     install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
    (Chromium security severity: High) (CVE-2022-4180)

  - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4184)

  - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote     attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an     attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a     crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a     remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4187)

  - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71     allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2022-4188)

  - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker     who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted     Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)

  - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4190)

  - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced     a user to engage in specific UI interaction to potentially exploit heap corruption via profile     destruction. (Chromium security severity: Medium) (CVE-2022-4191)

  - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who     convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI     interaction. (Chromium security severity: Medium) (CVE-2022-4192)

  - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a     remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2022-4193)

  - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote     attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)     (CVE-2022-4195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote macOS host is prior to 108.0.5359.71. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022_11_stable-channel-update-for-desktop_29 advisory.

  - Type Confusion in V8. (CVE-2022-4174)

  - Use after free in Camera Capture. (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics. (CVE-2022-4176)

  - Use after free in Extensions. (CVE-2022-4177)

  - Use after free in Mojo. (CVE-2022-4178, CVE-2022-4180)

  - Use after free in Audio. (CVE-2022-4179)

  - Use after free in Forms. (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames. (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker. (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill. (CVE-2022-4184)

  - Inappropriate implementation in Navigation. (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads. (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools. (CVE-2022-4187, CVE-2022-4189)

  - Insufficient validation of untrusted input in CORS. (CVE-2022-4188)

  - Insufficient data validation in Directory. (CVE-2022-4190)

  - Use after free in Sign-In. (CVE-2022-4191)

  - Use after free in Live Caption. (CVE-2022-4192)

  - Insufficient policy enforcement in File System API. (CVE-2022-4193)

  - Use after free in Accessibility. (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing. (CVE-2022-4195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote Windows host is prior to 108.0.5359.71. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022_11_stable-channel-update-for-desktop_29 advisory.

  - Type Confusion in V8. (CVE-2022-4174)

  - Use after free in Camera Capture. (CVE-2022-4175)

  - Out of bounds write in Lacros Graphics. (CVE-2022-4176)

  - Use after free in Extensions. (CVE-2022-4177)

  - Use after free in Mojo. (CVE-2022-4178, CVE-2022-4180)

  - Use after free in Audio. (CVE-2022-4179)

  - Use after free in Forms. (CVE-2022-4181)

  - Inappropriate implementation in Fenced Frames. (CVE-2022-4182)

  - Insufficient policy enforcement in Popup Blocker. (CVE-2022-4183)

  - Insufficient policy enforcement in Autofill. (CVE-2022-4184)

  - Inappropriate implementation in Navigation. (CVE-2022-4185)

  - Insufficient validation of untrusted input in Downloads. (CVE-2022-4186)

  - Insufficient policy enforcement in DevTools. (CVE-2022-4187, CVE-2022-4189)

  - Insufficient validation of untrusted input in CORS. (CVE-2022-4188)

  - Insufficient data validation in Directory. (CVE-2022-4190)

  - Use after free in Sign-In. (CVE-2022-4191)

  - Use after free in Live Caption. (CVE-2022-4192)

  - Insufficient policy enforcement in File System API. (CVE-2022-4193)

  - Use after free in Accessibility. (CVE-2022-4194)

  - Insufficient policy enforcement in Safe Browsing. (CVE-2022-4195)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
186268	GLSA-202311-11 : QtWebEngine: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
175034	GLSA-202305-10 : Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
171333	Microsoft Edge (Chromium) < 108.0.1462.42 Multiple Vulnerabilities	Nessus	Windows	high
168406	Microsoft Edge (Chromium) < 108.0.1462.41 Multiple Vulnerabilities	Nessus	Windows	high
168402	Debian DSA-5293-1 : chromium - security update	Nessus	Debian Local Security Checks	high
168393	openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10229-1)	Nessus	SuSE Local Security Checks	high
168310	FreeBSD : chromium -- multiple vulnerabilities (5f7ed6ea-70a7-11ed-92ce-3065ec8fd3ec)	Nessus	FreeBSD Local Security Checks	high
168274	Google Chrome < 108.0.5359.71 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
168273	Google Chrome < 108.0.5359.71 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2022-4187

medium

Tenable Plugins

high

critical

high

high

high

high

high

high

high