OS command injection in Microsoft Edge and Internet Explorer

Published: 2019-04-10 02:38:51 | Updated: 2019-04-10
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-0764
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-78
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Internet Explorer
Microsoft Edge
Vulnerable software versions Microsoft Internet Explorer 9
Microsoft Internet Explorer 10
Microsoft Internet Explorer 11
Microsoft Edge -
Vendor URL Microsoft

Security Advisory

1) OS Command Injection

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing URLs under certain conditions. A remote unauthenticated attacker can trick the victim into opening a specially crafted URL and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0764

Back to List