The version of Google Chrome installed on the remote host is prior to 52.0.2743.82, and is affected by multiple vulnerabilities :
- An out-of-bounds read flaw in the 'xmlParseEndTag2()' function in 'parser.c' is triggered when parsing an end tag. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An out-of-bounds read flaw in the 'xmlNextChar()' function in 'parserInternals.c' is triggered when parsing characters in an XML file. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- An overflow condition in the 'htmlParseName()' and 'htmlParseNameComplex()' functions of 'HTMLparser.c' is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- An integer overflow condition in the 'xmlParse3986Port()' function in 'uri.c' is triggered as user-supplied input is not properly validated when handling port numbers in the URL. This may allow a context-dependent attacker to have an unspecified impact.
- An out-of-bounds under-read flaw in the 'xmlParseConditionalSections()' and 'xmlParseElementDecl()' functions in 'parser.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A format string flaw in multiple functionalities is triggered as string format specifiers (e.g. %s and %x) are not properly used. This may allow a context-dependent attacker to potentially execute arbitrary code or cause a denial of service in a process linked against the library.
- An out-of-bounds read flaw in the 'PairPosFormat1::sanitize()' function 'in hb-ot-layout-gpos-table.hh' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
- A flaw in 'PPAPI' is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox.
- A flaw in 'web/web_state/ui/crw_web_controller.mm' is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks.
- A use-after-free error related to extensions may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- An array indexing error in the 'ByteArray::Get()' function in 'data/byte_array.cc' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.
- A flaw in 'web/ChromeClientImpl.cpp' is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy.
- A flaw in 'core/loader/FrameLoader.
{"id": "9480.PASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Google Chrome < 52.0.2743.82 Multiple Vulnerabilites", "description": "The version of Google Chrome installed on the remote host is prior to 52.0.2743.82, and is affected by multiple vulnerabilities :\n\n - An out-of-bounds read flaw in the 'xmlParseEndTag2()' function in 'parser.c' is triggered when parsing an end tag. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.\n - An out-of-bounds read flaw in the 'xmlNextChar()' function in 'parserInternals.c' is triggered when parsing characters in an XML file. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.\n - An overflow condition in the 'htmlParseName()' and 'htmlParseNameComplex()' functions of 'HTMLparser.c' is triggered as user-supplied input is not properly validated when parsing characters in a range. With a specially crafted file, a context-dependent attacker can cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.\n - An integer overflow condition in the 'xmlParse3986Port()' function in 'uri.c' is triggered as user-supplied input is not properly validated when handling port numbers in the URL. This may allow a context-dependent attacker to have an unspecified impact.\n - An out-of-bounds under-read flaw in the 'xmlParseConditionalSections()' and 'xmlParseElementDecl()' functions in 'parser.c' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.\n - A format string flaw in multiple functionalities is triggered as string format specifiers (e.g. %s and %x) are not properly used. This may allow a context-dependent attacker to potentially execute arbitrary code or cause a denial of service in a process linked against the library.\n - An out-of-bounds read flaw in the 'PairPosFormat1::sanitize()' function 'in hb-ot-layout-gpos-table.hh' may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.\n - A flaw in 'PPAPI' is triggered when handling certain messages not sent by the browser in the plugin broker process. This may allow a context-dependent attacker to bypass the sandbox.\n - A flaw in 'web/web_state/ui/crw_web_controller.mm' is triggered when handling invalid URLs. This may allow a context-dependent attacker to conduct URL spoofing attacks.\n - A use-after-free error related to extensions may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.\n - An array indexing error in the 'ByteArray::Get()' function in 'data/byte_array.cc' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code.\n - A flaw in 'web/ChromeClientImpl.cpp' is triggered when handling creation of new windows by deferred frames. This may allow a context-dependent attacker to bypass the same-origin policy.\n - A flaw in 'core/loader/FrameLoader.", "published": "2016-08-12T00:00:00", "modified": "2019-03-06T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nnm/9480", "reporter": "Tenable", "references": ["http://googlechromereleases.blogspot.com/2016/07/stable-channel-update.html,https://codereview.chromium.org/2010803004", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8947"], "cvelist": [], "immutableFields": [], "lastseen": "2023-05-18T14:26:14", "viewCount": 5, "enchantments": {"dependencies": {"references": []}, "score": {"value": 3.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "androidsecurity", "idList": ["ANDROID:2017-06-01"]}, {"type": "apple", "idList": ["APPLE:6748E384E7BA13DBCB2C35FCC0D241F7", "APPLE:D5F409F7AFA37FCEB99438F892D4A5CB", "APPLE:HT207142", "APPLE:HT207143"]}, {"type": "archlinux", "idList": ["ASA-201605-28"]}, {"type": "centos", "idList": ["CESA-2016:1292"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7021C5270A461D6FC34DE4CA651C34EE"]}, {"type": "cve", "idList": ["CVE-2016-1695", "CVE-2016-1833", "CVE-2016-1838", "CVE-2016-1839", "CVE-2016-4447", "CVE-2016-4448"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3744-1:D44DC"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-5131"]}, {"type": "f5", "idList": ["F5:K76678525"]}, {"type": "fedora", "idList": ["FEDORA:D1EB860677B7"]}, {"type": "freebsd", "idList": ["1A6BBB95-24B8-11E6-BD31-3065EC8FD3EC", "76E59F55-4F7A-4887-BCB0-11604004163A", "C039A761-2C29-11E6-8912-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-201701-37"]}, {"type": "ibm", "idList": ["4E0F3F37822FD6C37F3F06A94F967EABE3AAC2F9D4382E4932DAA8EA6754AFF7"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/GOOGLE-CHROME-CVE-2016-1706/", "MSF:ILITIES/UBUNTU-CVE-2016-5133/"]}, {"type": "nessus", "idList": ["9440.PRM", "APPLETV_9_2_1.NASL", "DEBIAN_DLA-503.NASL", "DEBIAN_DSA-3590.NASL", "FREEBSD_PKG_1A6BBB9524B811E6BD313065EC8FD3EC.NASL", "FREEBSD_PKG_C039A7612C2911E689123065EC8FD3EC.NASL", "GENTOO_GLSA-201607-07.NASL", "GENTOO_GLSA-201701-76.NASL", "GOOGLE_CHROME_51_0_2704_63.NASL", "ITUNES_12_4_2.NASL", "MACOSX_GOOGLE_CHROME_51_0_2704_63.NASL", "MACOSX_SECUPD2016-003.NASL", "OPENSUSE-2016-652.NASL", "OPENSUSE-2016-682.NASL", "REDHAT-RHSA-2016-1190.NASL", "REDHAT-RHSA-2016-1292.NASL", "SLACKWARE_SSA_2016-148-01.NASL", "SUSE_SU-2016-1538-1.NASL", "UBUNTU_USN-2992-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310872590", "OPENVAS:1361412562311220192211"]}, {"type": "redhat", "idList": ["RHSA-2016:1292"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-5127"]}, {"type": "slackware", "idList": ["SSA-2016-148-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1430-1", "OPENSUSE-SU-2016:1433-1", "OPENSUSE-SU-2016:1496-1"]}, {"type": "symantec", "idList": ["SMNTC-1377"]}, {"type": "ubuntu", "idList": ["USN-3041-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-5131"]}, {"type": "zdt", "idList": ["1337DAY-ID-25847"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-8947", "epss": 0.0173, "percentile": 0.85994, "modified": "2023-05-07"}], "vulnersScore": 3.9}, "_state": {"dependencies": 1684449048, "score": 1684451024, "epss": 0}, "_internal": {"score_hash": "54ecb12177ca40f66624c775f630fe53"}, "pluginID": "9480", "sourceData": "Binary data 9480.pasl", "naslFamily": "Web Clients", "cpe": ["cpe:/a:google:chrome"], "solution": "Update the Chrome browser to 52.0.2743.82 or later.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vendor_cvss2": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "vendor_cvss3": {"score": null, "vector": null}, "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": "2016-05-23T00:00:00", "vulnerabilityPublicationDate": "2016-05-23T00:00:00", "exploitableWith": []}