Multiple vulnerabilities in Microsoft Edge
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 29 |
| CVE-ID | CVE-2017-8518 CVE-2017-8634 CVE-2017-8635 CVE-2017-8636 CVE-2017-8637 CVE-2017-8638 CVE-2017-8639 CVE-2017-8640 CVE-2017-8662 CVE-2017-8670 CVE-2017-8671 CVE-2017-8672 CVE-2017-8641 CVE-2017-8642 CVE-2017-8644 CVE-2017-8645 CVE-2017-8646 CVE-2017-8647 CVE-2017-8650 CVE-2017-8655 CVE-2017-8656 CVE-2017-8652 CVE-2017-8657 CVE-2017-8659 CVE-2017-8661 CVE-2017-8674 CVE-2017-8503 CVE-2017-8669 CVE-2017-8653 |
| CWE-ID | CWE-119 CWE-264 CWE-200 CWE-79 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #15 is available. Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #21 is available. Public exploit code for vulnerability #22 is available. Public exploit code for vulnerability #23 is available. |
| Vulnerable software Subscribe |
Microsoft Edge Client/Desktop applications / Web browsers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 29 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU7710
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8518
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to improper handling objects in memory by Microsoft Edge. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Microsoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8518
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU7712
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8634
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8634
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory corruption
EUVDB-ID: #VU7713
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8635
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8635
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Memory corruption
EUVDB-ID: #VU7714
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8636
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8636
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Security restrictions bypass
EUVDB-ID: #VU7715
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8637
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass security restrictions on the target system.
The weakness exists in Microsoft Edge due to how memory is accessed in code compiled by the Edge Just-In-Time (JIT) compiler. A local attacker can visit a specially crafted website and bypass Arbitrary Code Guard (ACG).
Successful exploitation of the vulnerability may result in further attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8637
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory corruption
EUVDB-ID: #VU7716
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8638
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8638
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory corruption
EUVDB-ID: #VU7717
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8639
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8639
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory corruption
EUVDB-ID: #VU7718
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8640
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8640
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Information disclosure
EUVDB-ID: #VU7719
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8662
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper validation of strings in specific scenarios by Microsoft Edge. A remote attacker can run an affected application, gain access to arbitrary files and bypass Address Space Layout Randomization (ASLR).
Successful exploitation of the vulnerability may result in further attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8662
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory corruption
EUVDB-ID: #VU7722
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8670
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8670
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Memory corruption
EUVDB-ID: #VU7724
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8671
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8671
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Memory corruption
EUVDB-ID: #VU7725
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8672
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8672
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory corruption
EUVDB-ID: #VU7726
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8641
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8641
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Cross-site scripting
EUVDB-ID: #VU7727
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8642
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8642
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Cross-site scripting
EUVDB-ID: #VU7729
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8644
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
16) Memory corruption
EUVDB-ID: #VU7730
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8645
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8645
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
17) Memory corruption
EUVDB-ID: #VU7733
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8646
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8646
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Memory corruption
EUVDB-ID: #VU7735
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8647
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8647
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Cross-site scripting
EUVDB-ID: #VU7736
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8650
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8650
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Memory corruption
EUVDB-ID: #VU7737
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8655
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8655
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Memory corruption
EUVDB-ID: #VU7738
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8656
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8656
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
22) Cross-site scripting
EUVDB-ID: #VU7739
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8652
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8652
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
23) Memory corruption
EUVDB-ID: #VU7740
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-8657
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8657
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
24) Cross-site scripting
EUVDB-ID: #VU7741
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8659
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data by the Chakra scripting engine. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8659
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Memory corruption
EUVDB-ID: #VU7742
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8661
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft scripting engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8661
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Memory corruption
EUVDB-ID: #VU7745
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8674
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browser JavaScript engines. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8674
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Privilege escalation
EUVDB-ID: #VU7746
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8503
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access controls. A local attacker can gain elevated privileges and break out of the Edge AppContainer sandbox.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8503
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Memory corruption
EUVDB-ID: #VU7751
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8669
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browsers. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Memory corruption
EUVDB-ID: #VU7753
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8653
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an error when handling objects in memory by Microsoft browsers. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: All versions
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8653
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
