Impact
An inappropriate implementation in Chrome’s SiteSettings on Android allows a remote attacker to deliver a crafted HTML page that modifies the browser’s user interface, creating a deceptive environment that can trick users into taking unintended actions. The vulnerability was assigned a medium severity by Chromium, meaning that while it does not directly expose data or cause widespread impact, it provides a vector for phishing or social‑engineering attacks. The primary consequence is the potential to harvest sensitive information or credentials from users who are led to believe they are interacting with a legitimate site.
Affected Systems
Google Chrome on Android versions prior to 150.0.7871.47 are affected. No other browsers or platforms are listed as vulnerable.
Risk and Exploitability
The exploit requires a remote attacker to serve a malicious web page that the user eventually visits; no local compromise is necessary. The EPSS score is not available, and Chrome is not listed in the CISA KEV catalog, indicating that no public active exploitation has been observed. The CVSS score is not supplied, but the medium severity rating suggests a non‑critical yet exploitable weakness. Attackers with a malicious web page can fool users into misrepresenting the intended UI, potentially leading to credential theft or unintended actions. In the absence of a public exploit, the risk remains theoretical but should not be underestimated given the ease of hosting malicious pages.
OpenCVE Enrichment