Lack of CSP enforcement on WebUI pages in Bink in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension.
CWE-79
CVE-2018-6076
Insufficient encoding of URL fragment identifiers in Blink in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform a DOM based XSS attack via a crafted HTML page.
CVE-2018-6081
XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page.
CVE-2018-6051
XSS Auditor in Google Chrome prior to 64.0.3282.119, did not ensure the reporting URL was in the same origin as the page it was on, which allowed a remote attacker to obtain referrer details via a crafted HTML page.
CVE-2018-6001
The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlisttemplatesfront-end.php (war_sdy_pl_preview parameter).
CVE-2018-6002
The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-musictemplatesfront-end.php (war_soundy_preview parameter).