Ndevtk

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 146.0.7680.71 **Description** An incorrect security user interface in the LookalikeChecks feature allowed a remote attacker to perform UI spoofing through a crafted HTML page. The Chromium security severity is rated as Medium. **Recommendations** Update Google Chrome to version 146.0.7680.71 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 140.0.7339.80 **Description** An inappropriate implementation in Extensions in Google Chrome allows a remote attacker to bypass the content security policy via a crafted HTML page. **Recommendations** Update Google Chrome to version 140.0.7339.80 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 128.0.6613.84 **Description** The issue is related to insufficient policy enforcement in Data Transfer, allowing a remote attacker to leak cross-origin data via a crafted HTML page if the user engages in specific UI gestures. This can lead to the disclosure of protected information. **Recommendations** For versions prior to 128.0.6613.84, update to version 128.0.6613.84 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted HTML pages to minimize the risk of exploitation. Avoid using Google Chrome for sensitive operations until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 1.3.36.351 Description: The issue is related to an inappropriate implementation in the Sign-In component of Google Chrome, allowing a remote attacker to bypass navigation restrictions. This can be achieved via a crafted HTML page, potentially enabling cross-site scripting attacks. Recommendations: For versions prior to 1.3.36.351, update to version 1.3.36.351 or later to resolve the issue. As a temporary workaround, consider restricting access to the Sign-In component until a patch is available. Avoid using crafted HTML pages in the affected Google Chrome versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 114.0.5735.90 **Description** The issue is related to an inappropriate implementation in the Picture In Picture technology of Google Chrome, which may allow a remote attacker to conduct phishing attacks by spoofing the contents of the Omnibox (URL bar) via a crafted HTML page. This can be achieved if the attacker has compromised the renderer process. The estimated number of potentially affected devices is not specified. **Recommendations** For Google Chrome versions prior to 114.0.5735.90, update to version 114.0.5735.90 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Picture In Picture feature until a patch is available. Avoid using crafted HTML pages that may exploit this issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 114.0.5735.90 **Description** The issue is related to an inappropriate implementation in Picture In Picture, allowing a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. This could potentially be used for phishing attacks. **Recommendations** For versions prior to 114.0.5735.90, update to version 114.0.5735.90 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Picture In Picture feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 112.0.5615.49 **Description** The issue is related to incorrect security UI in Picture In Picture, allowing a remote attacker to potentially perform navigation spoofing via a crafted HTML page. This could be exploited by a remote attacker using a specially crafted web page. **Recommendations** For versions prior to 112.0.5615.49, update to version 112.0.5615.49 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Picture In Picture functionality until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 137.0.7151.55 **Description** The issue is related to an inappropriate implementation in the FileSystemAccess API, allowing a remote attacker to perform UI spoofing via a crafted HTML page. **Recommendations** For versions prior to 137.0.7151.55, update to version 137.0.7151.55 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Visual Studio Code (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface, allowing a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 146.0.7680.71 **Description** A flaw exists in Google Chrome's handling of PDF files. Insufficient policy enforcement allows a remote attacker to bypass navigation restrictions through a specially crafted PDF file. The Chromium security severity is rated as Low. **Recommendations** Update Google Chrome to version 146.0.7680.71 or later.

**Name of the Vulnerable Software and Affected Versions** @theia/plugin-ext component of Eclipse Theia versions prior to 1.18.0 **Description** The issue allows Webview contents to be hijacked via the `postMessage()` function. **Recommendations** For versions prior to 1.18.0, update to version 1.18.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `postMessage()` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 88.0.4324.96 Description: The issue is related to an inappropriate implementation in the Performance API of Google Chrome, which allowed a remote attacker to leak cross-origin data via a crafted HTML page. This is due to a lack of protection for transmitted data, enabling an attacker to gain unauthorized access to protected information. Recommendations: For versions prior to 88.0.4324.96, update to version 88.0.4324.96 or later to resolve the issue.