Alesandro Ortiz

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 148.0.7778.168 **Description** Incorrect security UI in Downloads allows a remote attacker to perform UI spoofing via a crafted HTML page. **Recommendations** Update to version 148.0.7778.168 or later.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 139.0.7258.127 Description: An inappropriate implementation in the File Picker component allowed a remote attacker to leak cross-origin data. The attack required convincing a user to perform specific UI gestures on a crafted HTML page. Recommendations: Update Google Chrome to version 139.0.7258.127 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 145.0.7632.45 **Description** An issue exists in the File input functionality of Google Chrome that could allow a remote attacker to perform UI spoofing. This is possible if the attacker convinces a user to perform specific UI gestures on a crafted HTML page. The Chromium security severity is rated as Medium. **Recommendations** Update Google Chrome to version 145.0.7632.45 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 146.0.7680.71 **Description** An incorrect security user interface in the LookalikeChecks feature allowed a remote attacker to perform UI spoofing through a crafted HTML page. The Chromium security severity is rated as Medium. **Recommendations** Update Google Chrome to version 146.0.7680.71 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 134.0.6998.35 **Description** The issue is related to an inappropriate implementation in Selection in Google Chrome on Android, allowing a remote attacker to perform UI spoofing via a crafted HTML page if the user engages in specific UI gestures. The severity of this issue is classified as Low by Chromium. **Recommendations** For Google Chrome versions prior to 134.0.6998.35, update to version 134.0.6998.35 or later to resolve the issue. As a temporary workaround, consider avoiding engagement in specific UI gestures that could be exploited by a crafted HTML page.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 133.0.6943.53 **Description** The issue is related to an inappropriate implementation in the Extensions API, allowing a remote attacker to perform UI spoofing via a crafted Chrome Extension if the user is convinced to engage in specific UI gestures. **Recommendations** For versions prior to 133.0.6943.53, update to version 133.0.6943.53 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 132.0.6834.83 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in the Navigation function of Google Chrome and Microsoft Edge, allowing a remote attacker to bypass authentication via UI spoofing. This can be achieved by using a specially crafted HTML page, enabling the attacker to circumvent existing security restrictions and perform a user interface spoofing attack. **Recommendations** For Google Chrome versions prior to 132.0.6834.83, update to version 132.0.6834.83 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 139.0.7258.66 **Description** An inappropriate implementation in Picture In Picture functionality allowed a remote attacker to perform UI spoofing. The attacker could convince a user to engage in specific UI gestures on a crafted HTML page to exploit this issue. The security severity is rated as Low. **Recommendations** Update Google Chrome to version 139.0.7258.66 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 127.0.6533.72 Microsoft Edge (affected versions not specified) **Description** The issue is related to inappropriate implementation in the FedCM component, which is associated with inadequate access control. This could allow a remote attacker to perform UI spoofing via a crafted HTML page if the user is convinced to engage in specific UI gestures. The attacker may also gain unauthorized access to the system. **Recommendations** For Google Chrome versions prior to 127.0.6533.72, update to version 127.0.6533.72 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 127.0.6533.72 Microsoft Edge (affected versions not specified) **Description** The issue is related to inappropriate implementation in the Fullscreen component, allowing a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. This can be achieved if the attacker convinces a user to engage in specific UI gestures. The problem is also associated with insufficient access control, which may allow an attacker to gain unauthorized access to limited functional capabilities. **Recommendations** For Google Chrome versions prior to 127.0.6533.72, update to version 127.0.6533.72 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 127.0.6533.72 Microsoft Edge (affected versions not specified) **Description** The issue is related to inappropriate implementation in the FedCM component, which is associated with inadequate access control. This could allow a remote attacker to perform UI spoofing via a crafted HTML page if the user is convinced to engage in specific UI gestures. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For Google Chrome versions prior to 127.0.6533.72, update to version 127.0.6533.72 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 128.0.6613.84 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in the FedCM component of Google Chrome and Microsoft Edge browsers, which is associated with incorrect security checks for standard elements. This allows a remote attacker to perform UI spoofing via a crafted HTML page. **Recommendations** For Google Chrome versions prior to 128.0.6613.84, update to version 128.0.6613.84 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 124.0.6367.60 **Description** The issue is related to an inappropriate implementation in the Extensions component of Google Chrome, which may allow a remote attacker to perform UI spoofing via a crafted Chrome Extension. This could potentially lead to unauthorized access to confidential information. **Recommendations** For versions prior to 124.0.6367.60, update to version 124.0.6367.60 or later to resolve the issue. As a temporary workaround, consider restricting the use of extensions in Google Chrome until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome on Android versions prior to 116.0.5845.96 **Description** The issue is related to an inappropriate implementation in the WebShare component of Google Chrome for Android, which can allow a remote attacker to spoof the contents of a dialog URL using a specially crafted HTML page. This can be achieved by exploiting the incorrectly implemented security check for standard elements. **Recommendations** For Google Chrome on Android versions prior to 116.0.5845.96, update to version 116.0.5845.96 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the WebShare component until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 114.0.5735.90 **Description** The issue is related to an inappropriate implementation in Picture In Picture, allowing a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. This could potentially be used for phishing attacks. **Recommendations** For versions prior to 114.0.5735.90, update to version 114.0.5735.90 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Picture In Picture feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 113 Firefox ESR versions prior to 102.11 Thunderbird versions prior to 102.11 **Description** The issue is related to errors in the user interface, where browser prompts could be obscured by popups controlled by content, potentially leading to user confusion and spoofing attacks. This could allow a remote attacker to perform spoofing attacks. **Recommendations** For Firefox versions prior to 113, update to version 113 or later to resolve the issue. For Firefox ESR versions prior to 102.11, update to version 102.11 or later to resolve the issue. For Thunderbird versions prior to 102.11, update to version 102.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 113.0.5672.63 **Description** The issue is related to an inappropriate implementation in the PictureInPicture feature of Google Chrome, allowing a remote attacker who has compromised the renderer process to obfuscate the security UI via a crafted HTML page. This could potentially be used for phishing attacks. **Recommendations** For versions prior to 113.0.5672.63, update to version 113.0.5672.63 or later to resolve the issue. As a temporary workaround, consider restricting the use of the PictureInPicture feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 113.0.5672.63 **Description** The issue is related to an inappropriate implementation in the Prompts component of Google Chrome, which may allow a remote attacker to obfuscate main origin data via a crafted HTML page. This could potentially be used for phishing attacks. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 113.0.5672.63, update to version 113.0.5672.63 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages until the update is applied. Avoid using the Prompts component with untrusted or specially crafted HTML pages until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 111.0.5563.64 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in the Internals component of Google Chrome and Microsoft Edge browsers, specifically concerning the security check for standard elements. This could allow a remote attacker to conduct spoofing attacks using a specially crafted HTML page. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Google Chrome versions prior to 111.0.5563.64, update to version 111.0.5563.64 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome on Android versions prior to 109.0.5414.74 **Description** The issue is related to an inappropriate implementation in permission prompts, allowing a remote attacker to bypass main origin permission delegation via a crafted HTML page. This could potentially impact the integrity of data. **Recommendations** For Google Chrome on Android versions prior to 109.0.5414.74, update to version 109.0.5414.74 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted HTML pages to minimize the risk of exploitation.