The version of Google Chrome installed on the remote macOS host is prior to 128.0.6613.84. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_08_stable-channel-update-for-desktop_21 advisory.

  - Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker     to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-7964)

  - Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-7965)

  - Out of bounds memory access in Skia in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who     had compromised the renderer process to perform out of bounds memory access via a crafted HTML page.
    (Chromium security severity: High) (CVE-2024-7966)

  - Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-7967)

  - Use after free in Autofill in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had     convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a     crafted HTML page. (Chromium security severity: High) (CVE-2024-7968)

  - Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap     corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2024-7971)

  - Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity:
    Medium) (CVE-2024-7972)

  - Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     perform an out of bounds memory read via a crafted PDF file. (Chromium security severity: Medium)     (CVE-2024-7973)

  - Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84 allowed a remote attacker     to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity:
    Medium) (CVE-2024-7974)

  - Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84 allowed a remote     attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-7975)

  - Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) (CVE-2024-7976)

  - Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a     local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium)     (CVE-2024-7977)

  - Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote     attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted     HTML page. (Chromium security severity: Medium) (CVE-2024-7978)

  - Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a     local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity:
    Medium) (CVE-2024-7979, CVE-2024-7980)

  - Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to     perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) (CVE-2024-7981)

  - Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84 allowed     an attacker who convinced a user to install a malicious application to perform UI spoofing via a crafted     HTML page. (Chromium security severity: Low) (CVE-2024-8033)

  - Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84 allowed a     remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)     (CVE-2024-8034)

  - Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a     remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)     (CVE-2024-8035)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Google Chrome < 128.0.6613.84 Multiple Vulnerabilities

high Nessus Plugin ID 206042

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.4 Aug 23, 2024, 10:02 PM CVE (set "CVE" coverage to "CVE-2024-7964,CVE-2024-7965,CVE-2024-7966,CVE-2024-7967,CVE-2024-7968,CVE-2024-7971,CVE-2024-7972,CVE-2024-7973,CVE-2024-7974,CVE-2024-7975,CVE-2024-7976,CVE-2024-7977,CVE-2024-7978,CVE-2024-7979,CVE-2024-7980,CVE-2024-7981,CVE-2024-8033,CVE-2024-8034,CVE-2024-8035") CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 score source (changed from "CVE-2024-7974" to "CVE-2024-7968") CVSSv2 severity (based on None, severity decreased from "High" to "Low") CVSSv3 score source (set to "CVE-2024-7974") Plugin metadata Plugin Feed: 202408232202
Version 1.3 Aug 23, 2024, 1:44 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202408231344
Version 1.2 Aug 23, 2024, 7:18 AM CVSS metrics ("CVSSv3 score" set to 8.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H") CVSSv2 score source (changed from "CVE-2024-7968" to "CVE-2024-7974") Plugin Feed: 202408230718
Version 1.1 Aug 21, 2024, 9:41 PM New Plugin Feed: 202408212141