12 matches found
EUVD-2018-10220
Malware in sbrugna...
Majority of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds
Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the...
Mozilla: Extensions could have bypassed permission confirmation during update
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as: If a user installed a particular type of extension, the extension could have auto-updated itself, and while doing so may have bypassed the prompt which grants the new version the new requested permission...
Mozilla: The proxy.onRequest API did not catch view-source URLs
The Mozilla Foundation Security Advisory describes this flaw as: When an extension with the proxy permission registered to receive , the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have...
Authorization Bypass
chromium is vulnerable to authorization bypass. A missing case for handling special schemes in permission request checks in Extensions allows an attacker to install a malicious extension on a victim's host to bypass extension permission checks for privileged pages via a malicious Chrome Extension...
DEBIAN-CVE-2019-5778
A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension...
UBUNTU-CVE-2019-5778
A missing case for handling special schemes in permission request checks in Extensions in Google Chrome prior to 72.0.3626.81 allowed an attacker who convinced a user to install a malicious extension to bypass extension permission checks for privileged pages via a crafted Chrome Extension...
[SECURITY] [DSA 4256-1] chromium-browser security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4256-1 [email protected] https://www.debian.org/security/ Michael Gilbert July 26, 2018 https://www.debian.org/security/faq -...
CVE-2018-5152
WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. For example, this allows for the interception of username and an encrypted password during login to Firef...
Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper
Summary The “Steam Inventory Helper” Chrome extension version 1.13.6 suffered from both a DOM-based Cross-site Scripting XSS and a clickjacking vulnerability. By combining these vulnerabilities it is possible to gain JavaScript code execution in the highly-privileged context of the extension’s...
Code injection
extensions/common/urlpattern.cc in Google Chrome before 37.0.2062.94 does not prevent use of a '\0' character in a host name, which allows remote attackers to spoof the extension permission dialog by relying on truncation after this character...
Google Chrome < 37.0.2062.94 Multiple Vulnerabilities (Mac OS X)
The version of Google Chrome installed on the remote Mac OS X host is a version prior to 37.0.2062.94. It is, therefore, affected by the following vulnerabilities : - Blink contains a use-after-free vulnerability in its SVG implementation. By using a specially crafted web page, a remote attacker...