Thomas Orlita

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 131.0.6778.69 **Description** The issue is related to an inappropriate implementation in Blink, allowing a remote attacker to perform UI spoofing via a crafted HTML page if a user is convinced to engage in specific UI gestures. This can lead to the attacker tricking the user into performing unintended actions. **Recommendations** For Google Chrome versions prior to 131.0.6778.69, update to version 131.0.6778.69 or later to resolve the issue. As a temporary workaround, consider being cautious when interacting with HTML pages from untrusted sources to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Firefox for Android versions prior to 130.0.1 Description: Under certain conditions, an attacker with the ability to redirect users to a malicious site via an open redirect on a trusted site, may be able to spoof the address bar contents. This can lead to a malicious site appearing to have the same URL as the trusted site. Recommendations: For Firefox for Android versions prior to 130.0.1, update to version 130.0.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of open redirects on trusted sites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 128.0.6613.84 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in Views, allowing a remote attacker to perform UI spoofing via a crafted HTML page. This could potentially lead to a security breach by manipulating the user interface. **Recommendations** For Google Chrome versions prior to 128.0.6613.84, update to version 128.0.6613.84 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 128.0.6613.84 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in Permissions, allowing a remote attacker to perform UI spoofing via a crafted HTML page. This could enable an attacker to deceive users into performing unintended actions. The severity of this issue is classified as Medium by Chromium security. **Recommendations** For Google Chrome versions prior to 128.0.6613.84, update to version 128.0.6613.84 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 118.0.5993.70 **Description** The issue is related to an inappropriate implementation in the Navigation component of Google Chrome, which can lead to errors in the representation of information in the user interface. This can allow a remote attacker to conduct spoofing attacks using a specially crafted HTML page. The attacker can exploit this issue to spoof security UI. **Recommendations** For versions prior to 118.0.5993.70, update to version 118.0.5993.70 or later to resolve the issue. As a temporary workaround, consider restricting the use of crafted HTML pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 115.0.5790.98 **Description** The issue is related to an inappropriate implementation in the Picture In Picture technology of Google Chrome, which may allow a remote attacker to conduct phishing attacks by potentially spoofing the contents of the Omnibox (URL bar) via a crafted HTML page. **Recommendations** For versions prior to 115.0.5790.98, update to version 115.0.5790.98 or later to resolve the issue. As a temporary workaround, consider disabling the Picture In Picture feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Google Chrome on Android versions prior to 113.0.5672.63 **Description** The issue is related to an inappropriate implementation in the Prompts component of Google Chrome on Android, which can allow a remote attacker to bypass security restrictions. This can be achieved via a specially crafted HTML page. The estimated severity of this issue is low. **Recommendations** For Google Chrome on Android versions prior to 113.0.5672.63, update to version 113.0.5672.63 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable HTML pages until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 113.0.5672.63 **Description** The issue is related to an inappropriate implementation in the PictureInPicture feature of Google Chrome, allowing an attacker to perform an origin spoof in the security UI via a crafted HTML page if a user installs a malicious extension. This could be exploited by a remote attacker using a specially crafted webpage. **Recommendations** For Google Chrome versions prior to 113.0.5672.63, update to version 113.0.5672.63 or later to resolve the issue. As a temporary workaround, consider avoiding the installation of extensions from untrusted sources and being cautious when interacting with HTML pages from unknown origins. Restrict access to the PictureInPicture feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 111.0.5563.64 **Description** The issue is related to insufficient policy enforcement in the Web Payments API, allowing a remote attacker to bypass navigation restrictions via a crafted HTML page. This can be exploited by a remote attacker using a specially crafted HTML page. **Recommendations** For versions prior to 111.0.5563.64, update to version 111.0.5563.64 or later to resolve the issue. As a temporary workaround, consider restricting access to the Web Payments API until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 111.0.5563.64 **Description** The issue is related to an inappropriate implementation in permission prompts, allowing a remote attacker to bypass navigation restrictions via a crafted HTML page. This could potentially lead to security breaches by exploiting the vulnerability in the permission prompts system, which incorrectly utilizes standard permissions. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For versions prior to 111.0.5563.64, update to version 111.0.5563.64 or later to resolve the issue. As a temporary workaround, consider restricting the use of permission prompts until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 103.0.5060.134 **Description** The issue is related to an inappropriate implementation in URL formatting, which can be exploited by a remote attacker to perform domain spoofing via a crafted HTML page. This can be achieved by manipulating the URL formatting mechanism, allowing the attacker to deceive users about the actual domain they are interacting with. **Recommendations** For Google Chrome versions prior to 103.0.5060.134, update to version 103.0.5060.134 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable web pages or avoiding the use of HTML pages from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 100.0.4896.60 Microsoft Edge (affected versions not specified) **Description** The issue is related to an inappropriate implementation in the Extensions component of Google Chrome and Microsoft Edge browsers, which may allow an attacker to leak potentially sensitive information via a crafted HTML page. This can occur if a user is convinced to install a malicious extension. The vulnerability is related to incorrectly implemented security checks for standard elements, potentially allowing a remote attacker to gain unauthorized access to protected information or cause a denial of service using a specially crafted web page. **Recommendations** For Google Chrome versions prior to 100.0.4896.60, update to version 100.0.4896.60 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 97.0.4692.71 **Description** The issue is related to an incorrect implementation of the security interface in the browser UI, allowing a remote attacker to conduct spoofing attacks by displaying a missing or incorrect URL via a specially crafted URL. This can be achieved through a crafted web page. **Recommendations** For Google Chrome versions prior to 97.0.4692.71, update to version 97.0.4692.71 or later to resolve the issue. As a temporary workaround, consider restricting access to untrusted websites to minimize the risk of exploitation. Avoid using crafted URLs in the affected browser until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 100.0.4896.88 **Description** The issue is related to a use after free vulnerability in the implementation of the tab groups extension in Google Chrome. This could allow a remote attacker to potentially exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to protected information. **Recommendations** For versions prior to 100.0.4896.88, update to version 100.0.4896.88 or later to resolve the issue. As a temporary workaround, consider disabling the tab groups feature until a patch is available.