Inappropriate implementation in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
The attacker prepares a specially crafted HTML page that induces the user to perform specific gestures in the browser interface (UI gestures). Faulty implementation in the DevTools module causes this interaction to allow bypassing discretionary access control. The attack therefore requires active user participation and the execution of specific actions in the browser.
An attacker can bypass access control mechanisms in the browser, which potentially enables unauthorized access to protected resources or functions. The scope of effects depends on the context in which the vulnerability is exploited.
Google Chrome should be updated to version 136.0.7103.59 or later. The update is available through the browser's built-in update mechanism or on the vendor's website according to the references.
Google Chrome in versions earlier than 136.0.7103.59 on desktop platforms.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Chrome
APPGoogle< 136.0.7103.59
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox