CVE-2018-6109

EUVD-2018-17872
readAsText() can indefinitely read the file picked by the user, rather than only once at the time the file is picked in File API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to access data on the user file system without explicit consent via a crafted HTML page.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
googlechrome
𝑥
< 66.0.3359.117
debiandebian_linux
8.0
debiandebian_linux
9.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_workstation
6.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
chromium-browser
artful
Fixed 66.0.3359.139-0ubuntu0.17.10.2
released
bionic
Fixed 66.0.3359.139-0ubuntu0.18.04.3
released
cosmic
Fixed 66.0.3359.139-0ubuntu1
released
trusty
dne
xenial
Fixed 66.0.3359.139-0ubuntu0.16.04.3
released
oxide-qt
artful
ignored
bionic
dne
cosmic
dne
trusty
dne
xenial
ignored
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/103917
https://access.redhat.com/errata/RHSA-2018:1195
https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html
https://crbug.com/710190
https://security.gentoo.org/glsa/201804-22
https://www.debian.org/security/2018/dsa-4182
http://www.securityfocus.com/bid/103917
https://access.redhat.com/errata/RHSA-2018:1195
https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html
https://crbug.com/710190
https://security.gentoo.org/glsa/201804-22
https://www.debian.org/security/2018/dsa-4182