Microsoft Browser Information Disclosure Vulnerability

1) Cross-site scripting

EUVDB-ID: #VU4243

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-7282

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

Vulnerability allows a remote authenticated attacker to perform Cross-site scripting attacks.

An input validation error exists in the way Microsoft browsers handle certain untrusted input. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Internet Explorer: 9 - 11

Microsoft Edge: All versions

CPE2.3

• cpe:2.3:a:microsoft:microsoft_internet_explorer:9:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_internet_explorer:10:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_internet_explorer:11:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7282

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.