The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5668 advisory.

  - Object corruption in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially     exploit object corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2024-3832)

  - Object corruption in WebAssembly in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to     potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-3833)

  - Use after free in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-3834)

  - Use after free in QUIC in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: Medium) (CVE-2024-3837)

  - Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed an attacker who     convinced a user to install a malicious app to perform UI spoofing via a crafted app. (Chromium security     severity: Medium) (CVE-2024-3838)

  - Out of bounds read in Fonts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to obtain     potentially sensitive information from process memory via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2024-3839)

  - Insufficient policy enforcement in Site Isolation in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-3840)

  - Insufficient data validation in Browser Switcher in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to inject scripts or HTML into a privileged page via a malicious file. (Chromium security     severity: Medium) (CVE-2024-3841)

  - Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-3843)

  - Inappropriate implementation in Extensions in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)     (CVE-2024-3844)

  - Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low) (CVE-2024-3845)

  - Inappropriate implementation in Prompts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
    (Chromium security severity: Low) (CVE-2024-3846)

  - Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)     (CVE-2024-3847)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dsa-5668 : chromium - security update

high Nessus Plugin ID 193664

Version 1.1

Version 1.0

Version 1.1 Dec 20, 2024, 9:44 AM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202412200944
Version 1.0 Apr 21, 2024, 12:52 AM New Plugin Feed: 202404210052