Search

Find a vulnerability

Search criteria

    44 vulnerabilities found for yandex_browser by yandex

    CVE-2023-26226 (GCVE-0-2023-26226)

    Vulnerability from nvd – Published: 2025-05-30 17:23 – Updated: 2025-05-30 17:48
    VLAI
    Title
    A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
    Summary
    A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 0 , < 24.4.0.682 (custom)
    Create a notification for this product.
    Credits
    khangkito
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-26226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-30T17:48:08.779287Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-30T17:48:16.518Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThan": "24.4.0.682",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "khangkito"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
                }
              ],
              "value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-30T17:23:54.571Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2023-26226",
        "datePublished": "2025-05-30T17:23:54.571Z",
        "dateReserved": "2023-02-20T22:19:35.320Z",
        "dateUpdated": "2025-05-30T17:48:16.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25262 (GCVE-0-2021-25262)

    Vulnerability from nvd – Published: 2025-05-21 07:07 – Updated: 2025-05-21 13:51
    VLAI
    Title
    Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
    Summary
    Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 21.3.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T13:51:35.327719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T13:51:43.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
                }
              ],
              "value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T07:07:29.310Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25262",
        "datePublished": "2025-05-21T07:07:29.310Z",
        "dateReserved": "2021-01-15T16:29:27.870Z",
        "dateUpdated": "2025-05-21T13:51:43.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25255 (GCVE-0-2021-25255)

    Vulnerability from nvd – Published: 2025-05-21 07:04 – Updated: 2025-05-21 14:07
    VLAI
    Title
    Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
    Summary
    Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Lite Affected: 21.1.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T14:07:35.324725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T14:07:41.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser Lite",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T07:04:02.436Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25255",
        "datePublished": "2025-05-21T07:04:02.436Z",
        "dateReserved": "2021-01-15T16:29:27.867Z",
        "dateUpdated": "2025-05-21T14:07:41.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25254 (GCVE-0-2021-25254)

    Vulnerability from nvd – Published: 2025-05-21 06:58 – Updated: 2025-05-21 22:09
    VLAI
    Title
    Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
    Summary
    Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Lite Affected: 21.1.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T22:09:21.003649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T22:09:29.774Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser Lite",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
                }
              ],
              "value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T06:58:00.753Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25254",
        "datePublished": "2025-05-21T06:58:00.753Z",
        "dateReserved": "2021-01-15T16:29:27.867Z",
        "dateUpdated": "2025-05-21T22:09:29.774Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6473 (GCVE-0-2024-6473)

    Vulnerability from nvd – Published: 2024-09-03 10:35 – Updated: 2024-09-03 13:55
    VLAI
    Title
    DLL Hijacking in Yandex Browser
    Summary
    Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 0 , < 24.7.1.380 (custom)
    Create a notification for this product.
    yandex yandex_browser Affected: 0 , < 24.7.1.380 (custom)
        cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-03 09:00
    Credits
    Doctor Web, Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yandex_browser",
                "vendor": "yandex",
                "versions": [
                  {
                    "lessThan": "24.7.1.380",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6473",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T13:50:44.729657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T13:55:15.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThan": "24.7.1.380",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Doctor Web, Ltd."
            }
          ],
          "datePublic": "2024-09-03T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426 Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T10:35:59.145Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "DLL Hijacking in Yandex Browser",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2024-6473",
        "datePublished": "2024-09-03T10:35:59.145Z",
        "dateReserved": "2024-07-03T10:56:50.777Z",
        "dateUpdated": "2024-09-03T13:55:15.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28226 (GCVE-0-2022-28226)

    Vulnerability from nvd – Published: 2022-06-15 19:06 – Updated: 2024-08-03 05:48
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.3.3.801
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:48:37.380Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.3.3.801"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:06:17.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2022-28226",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.3.3.801"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2022-28226",
        "datePublished": "2022-06-15T19:06:17.000Z",
        "dateReserved": "2022-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:48:37.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28225 (GCVE-0-2022-28225)

    Vulnerability from nvd – Published: 2022-06-15 19:10 – Updated: 2024-08-03 05:48
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.3.3.684
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:48:37.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.3.3.684"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:10:32.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2022-28225",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.3.3.684"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2022-28225",
        "datePublished": "2022-06-15T19:10:32.000Z",
        "dateReserved": "2022-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:48:37.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25261 (GCVE-0-2021-25261)

    Vulnerability from nvd – Published: 2022-06-15 19:05 – Updated: 2024-08-03 19:56
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.5.0.862
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:11.090Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.5.0.862"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:05:54.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2021-25261",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.5.0.862"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25261",
        "datePublished": "2022-06-15T19:05:54.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:11.090Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27970 (GCVE-0-2020-27970)

    Vulnerability from nvd – Published: 2021-09-13 11:46 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar
    Severity
    No CVSS data available.
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser Lite for Android Affected: All versions prior to version 20.10.0.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:44.126Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser Lite for Android",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 20.10.0."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-13T11:46:00.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2020-27970",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser Lite for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 20.10.0."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2020-27970",
        "datePublished": "2021-09-13T11:46:00.000Z",
        "dateReserved": "2020-10-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:44.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27969 (GCVE-0-2020-27969)

    Vulnerability from nvd – Published: 2021-09-13 11:44 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing
    Severity
    No CVSS data available.
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser for Android Affected: All versions prior to version 20.8.4.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:44.099Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Android",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 20.8.4."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-13T11:44:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2020-27969",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 20.8.4."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2020-27969",
        "datePublished": "2021-09-13T11:44:01.000Z",
        "dateReserved": "2020-10-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:44.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25263 (GCVE-0-2021-25263)

    Vulnerability from nvd – Published: 2021-08-17 18:34 – Updated: 2024-08-03 19:56
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 21.9.0.390
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:11.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 21.9.0.390"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:06:06.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2021-25263",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 21.9.0.390"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25263",
        "datePublished": "2021-08-17T18:34:04.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:11.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7369 (GCVE-0-2020-7369)

    Vulnerability from nvd – Published: 2020-10-20 16:40 – Updated: 2024-09-17 01:21
    VLAI
    Title
    Yandex Browser Address Bar Spooofing
    Summary
    User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020.
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex Yandex Browser Affected: 20.8.3 , ≤ 20.8.3 (custom)
    Create a notification for this product.
    Date Public
    2020-10-20 00:00
    Credits
    This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7's coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:25:49.087Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThanOrEqual": "20.8.3",
                  "status": "affected",
                  "version": "20.8.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
            }
          ],
          "datePublic": "2020-10-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-20T16:40:24.000Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Yandex Browser Address Bar Spooofing",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@rapid7.com",
              "DATE_PUBLIC": "2020-10-20T13:00:00.000Z",
              "ID": "CVE-2020-7369",
              "STATE": "PUBLIC",
              "TITLE": "Yandex Browser Address Bar Spooofing"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "20.8.3",
                                "version_value": "20.8.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html",
                  "refsource": "MISC",
                  "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
                },
                {
                  "name": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2020-7369",
        "datePublished": "2020-10-20T16:40:24.201Z",
        "dateReserved": "2020-01-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:21:44.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7327 (GCVE-0-2017-7327)

    Vulnerability from nvd – Published: 2018-01-19 17:00 – Updated: 2024-09-16 21:57
    VLAI
    Summary
    Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.
    Severity
    No CVSS data available.
    CWE
    • Dll hijacking
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser for Desktop Affected: All versions prior to version 17.4.1
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.464Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Desktop",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 17.4.1"
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Dll hijacking",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7327",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Desktop",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 17.4.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Dll hijacking"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7327",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:57:43.175Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7326 (GCVE-0-2017-7326)

    Vulnerability from nvd – Published: 2018-01-19 17:00 – Updated: 2024-09-17 03:37
    VLAI
    Summary
    Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page
    Severity
    No CVSS data available.
    CWE
    • Memory corruption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser for Android Affected: All versions prior to version 17.4.0.16.
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.417Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Android",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 17.4.0.16."
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Memory corruption",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7326",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 17.4.0.16."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Memory corruption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7326",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:37:27.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7325 (GCVE-0-2017-7325)

    Vulnerability from nvd – Published: 2018-01-19 17:00 – Updated: 2024-09-16 22:36
    VLAI
    Summary
    Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.
    Severity
    No CVSS data available.
    CWE
    • Address bar spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser Affected: All versions prior to version 16.9.0
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.458Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 16.9.0"
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Address bar spoofing",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7325",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 16.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Address bar spoofing"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7325",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:36:01.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-26226 (GCVE-0-2023-26226)

    Vulnerability from cvelistv5 – Published: 2025-05-30 17:23 – Updated: 2025-05-30 17:48
    VLAI
    Title
    A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
    Summary
    A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 0 , < 24.4.0.682 (custom)
    Create a notification for this product.
    Credits
    khangkito
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-26226",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-30T17:48:08.779287Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-30T17:48:16.518Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows",
                "MacOS"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThan": "24.4.0.682",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "khangkito"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
                }
              ],
              "value": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416 Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-30T17:23:54.571Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2023-26226",
        "datePublished": "2025-05-30T17:23:54.571Z",
        "dateReserved": "2023-02-20T22:19:35.320Z",
        "dateUpdated": "2025-05-30T17:48:16.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25262 (GCVE-0-2021-25262)

    Vulnerability from cvelistv5 – Published: 2025-05-21 07:07 – Updated: 2025-05-21 13:51
    VLAI
    Title
    Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
    Summary
    Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 21.3.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25262",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T13:51:35.327719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T13:51:43.378Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
                }
              ],
              "value": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T07:07:29.310Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25262",
        "datePublished": "2025-05-21T07:07:29.310Z",
        "dateReserved": "2021-01-15T16:29:27.870Z",
        "dateUpdated": "2025-05-21T13:51:43.378Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25255 (GCVE-0-2021-25255)

    Vulnerability from cvelistv5 – Published: 2025-05-21 07:04 – Updated: 2025-05-21 14:07
    VLAI
    Title
    Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
    Summary
    Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Lite Affected: 21.1.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T14:07:35.324725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T14:07:41.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser Lite",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T07:04:02.436Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25255",
        "datePublished": "2025-05-21T07:04:02.436Z",
        "dateReserved": "2021-01-15T16:29:27.867Z",
        "dateUpdated": "2025-05-21T14:07:41.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25254 (GCVE-0-2021-25254)

    Vulnerability from cvelistv5 – Published: 2025-05-21 06:58 – Updated: 2025-05-21 22:09
    VLAI
    Title
    Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
    Summary
    Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Lite Affected: 21.1.0 (custom)
    Create a notification for this product.
    Credits
    Kirtikumar Anandrao Ramchandani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-25254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-21T22:09:21.003649Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-21T22:09:29.774Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android"
              ],
              "product": "Browser Lite",
              "vendor": "Yandex",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirtikumar Anandrao  Ramchandani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
                }
              ],
              "value": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 Interface Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-116",
                  "description": "CWE-116 Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-21T06:58:00.753Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25254",
        "datePublished": "2025-05-21T06:58:00.753Z",
        "dateReserved": "2021-01-15T16:29:27.867Z",
        "dateUpdated": "2025-05-21T22:09:29.774Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6473 (GCVE-0-2024-6473)

    Vulnerability from cvelistv5 – Published: 2024-09-03 10:35 – Updated: 2024-09-03 13:55
    VLAI
    Title
    DLL Hijacking in Yandex Browser
    Summary
    Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Yandex Browser Affected: 0 , < 24.7.1.380 (custom)
    Create a notification for this product.
    yandex yandex_browser Affected: 0 , < 24.7.1.380 (custom)
        cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-03 09:00
    Credits
    Doctor Web, Ltd.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:yandex:yandex_browser:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "yandex_browser",
                "vendor": "yandex",
                "versions": [
                  {
                    "lessThan": "24.7.1.380",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6473",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T13:50:44.729657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T13:55:15.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThan": "24.7.1.380",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Doctor Web, Ltd."
            }
          ],
          "datePublic": "2024-09-03T09:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426 Untrusted Search Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T10:35:59.145Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "DLL Hijacking in Yandex Browser",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2024-6473",
        "datePublished": "2024-09-03T10:35:59.145Z",
        "dateReserved": "2024-07-03T10:56:50.777Z",
        "dateUpdated": "2024-09-03T13:55:15.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28225 (GCVE-0-2022-28225)

    Vulnerability from cvelistv5 – Published: 2022-06-15 19:10 – Updated: 2024-08-03 05:48
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.3.3.684
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:48:37.339Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.3.3.684"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:10:32.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2022-28225",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.3.3.684"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.684 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2022-28225",
        "datePublished": "2022-06-15T19:10:32.000Z",
        "dateReserved": "2022-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:48:37.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28226 (GCVE-0-2022-28226)

    Vulnerability from cvelistv5 – Published: 2022-06-15 19:06 – Updated: 2024-08-03 05:48
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.3.3.801
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:48:37.380Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.3.3.801"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:06:17.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2022-28226",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.3.3.801"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2022-28226",
        "datePublished": "2022-06-15T19:06:17.000Z",
        "dateReserved": "2022-03-30T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:48:37.380Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25261 (GCVE-0-2021-25261)

    Vulnerability from cvelistv5 – Published: 2022-06-15 19:05 – Updated: 2024-08-03 19:56
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 22.5.0.862
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:11.090Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 22.5.0.862"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:05:54.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2021-25261",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 22.5.0.862"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 22.5.0.862 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating symlinks to installation file during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25261",
        "datePublished": "2022-06-15T19:05:54.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:11.090Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27970 (GCVE-0-2020-27970)

    Vulnerability from cvelistv5 – Published: 2021-09-13 11:46 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar
    Severity
    No CVSS data available.
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser Lite for Android Affected: All versions prior to version 20.10.0.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:44.126Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser Lite for Android",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 20.10.0."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-13T11:46:00.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2020-27970",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser Lite for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 20.10.0."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser before 20.10.0 allows remote attackers to spoof the address bar"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2020-27970",
        "datePublished": "2021-09-13T11:46:00.000Z",
        "dateReserved": "2020-10-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:44.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27969 (GCVE-0-2020-27969)

    Vulnerability from cvelistv5 – Published: 2021-09-13 11:44 – Updated: 2024-08-04 16:25
    VLAI
    Summary
    Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing
    Severity
    No CVSS data available.
    CWE
    • User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser for Android Affected: All versions prior to version 20.8.4.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:25:44.099Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Android",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 20.8.4."
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-13T11:44:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2020-27969",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 20.8.4."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2020-27969",
        "datePublished": "2021-09-13T11:44:01.000Z",
        "dateReserved": "2020-10-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:25:44.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-25263 (GCVE-0-2021-25263)

    Vulnerability from cvelistv5 – Published: 2021-08-17 18:34 – Updated: 2024-08-03 19:56
    VLAI
    Summary
    Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process.
    Severity
    No CVSS data available.
    CWE
    • Privilege escalation
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Yandex Browser (Desktop) Affected: All versions prior to version 21.9.0.390
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:56:11.179Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser (Desktop)",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 21.9.0.390"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Privilege escalation",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-15T19:06:06.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "ID": "CVE-2021-25263",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser (Desktop)",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 21.9.0.390"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Local privilege vulnerability in Yandex Browser for Windows prior to 21.9.0.390 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating files in directory with insecure permissions during Yandex Browser update process."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Privilege escalation"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://yandex.com/bugbounty/i/hall-of-fame-browser/",
                  "refsource": "MISC",
                  "url": "https://yandex.com/bugbounty/i/hall-of-fame-browser/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2021-25263",
        "datePublished": "2021-08-17T18:34:04.000Z",
        "dateReserved": "2021-01-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:56:11.179Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7369 (GCVE-0-2020-7369)

    Vulnerability from cvelistv5 – Published: 2020-10-20 16:40 – Updated: 2024-09-17 01:21
    VLAI
    Title
    Yandex Browser Address Bar Spooofing
    Summary
    User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020.
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex Yandex Browser Affected: 20.8.3 , ≤ 20.8.3 (custom)
    Create a notification for this product.
    Date Public
    2020-10-20 00:00
    Credits
    This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7's coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:25:49.087Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser",
              "vendor": "Yandex",
              "versions": [
                {
                  "lessThanOrEqual": "20.8.3",
                  "status": "affected",
                  "version": "20.8.3",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
            }
          ],
          "datePublic": "2020-10-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-20T16:40:24.000Z",
            "orgId": "9974b330-7714-4307-a722-5648477acda7",
            "shortName": "rapid7"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Yandex Browser Address Bar Spooofing",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@rapid7.com",
              "DATE_PUBLIC": "2020-10-20T13:00:00.000Z",
              "ID": "CVE-2020-7369",
              "STATE": "PUBLIC",
              "TITLE": "Yandex Browser Address Bar Spooofing"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "20.8.3",
                                "version_value": "20.8.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the Yandex Browser version 20.8.3 and prior versions, and was fixed in version 20.8.4 released October 1, 2020."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html",
                  "refsource": "MISC",
                  "url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
                },
                {
                  "name": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/",
                  "refsource": "MISC",
                  "url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
        "assignerShortName": "rapid7",
        "cveId": "CVE-2020-7369",
        "datePublished": "2020-10-20T16:40:24.201Z",
        "dateReserved": "2020-01-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:21:44.428Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7325 (GCVE-0-2017-7325)

    Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-16 22:36
    VLAI
    Summary
    Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.
    Severity
    No CVSS data available.
    CWE
    • Address bar spoofing
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser Affected: All versions prior to version 16.9.0
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.458Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 16.9.0"
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Address bar spoofing",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7325",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 16.9.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Address bar spoofing"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-16-9"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7325",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:36:01.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7327 (GCVE-0-2017-7327)

    Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-16 21:57
    VLAI
    Summary
    Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.
    Severity
    No CVSS data available.
    CWE
    • Dll hijacking
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser for Desktop Affected: All versions prior to version 17.4.1
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.464Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Desktop",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 17.4.1"
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Dll hijacking",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7327",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Desktop",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 17.4.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Dll hijacking"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7327",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:57:43.175Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7326 (GCVE-0-2017-7326)

    Vulnerability from cvelistv5 – Published: 2018-01-19 17:00 – Updated: 2024-09-17 03:37
    VLAI
    Summary
    Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page
    Severity
    No CVSS data available.
    CWE
    • Memory corruption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Yandex N.V. Yandex Browser for Android Affected: All versions prior to version 17.4.0.16.
    Create a notification for this product.
    Date Public
    2018-01-18 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:56:36.417Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Yandex Browser for Android",
              "vendor": "Yandex N.V.",
              "versions": [
                {
                  "status": "affected",
                  "version": "All versions prior to version 17.4.0.16."
                }
              ]
            }
          ],
          "datePublic": "2018-01-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Memory corruption",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-01-19T16:57:01.000Z",
            "orgId": "a51c9250-e584-488d-808b-03e6f1386796",
            "shortName": "yandex"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "browser-security@yandex-team.ru",
              "DATE_PUBLIC": "2018-01-18T00:00:00",
              "ID": "CVE-2017-7326",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Yandex Browser for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "All versions prior to version 17.4.0.16."
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Yandex N.V."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page"
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Memory corruption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4",
                  "refsource": "CONFIRM",
                  "url": "https://browser.yandex.com/security/changelogs/fixed-in-version-17-4"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a51c9250-e584-488d-808b-03e6f1386796",
        "assignerShortName": "yandex",
        "cveId": "CVE-2017-7326",
        "datePublished": "2018-01-19T17:00:00.000Z",
        "dateReserved": "2017-03-30T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:37:27.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }