Multiple vulnerabilities in Microsoft Edge (Chromium-based)



Published: 2021-04-16
Risk High
Patch available YES
Number of vulnerabilities 19
CVE ID CVE-2021-21201
CVE-2021-21212
CVE-2021-21219
CVE-2021-21218
CVE-2021-21217
CVE-2021-21216
CVE-2021-21215
CVE-2021-21214
CVE-2021-21213
CVE-2021-21211
CVE-2021-21202
CVE-2021-21210
CVE-2021-21209
CVE-2021-21208
CVE-2021-21207
CVE-2021-21221
CVE-2021-21205
CVE-2021-21204
CVE-2021-21203
CWE ID CWE-416
CWE-451
CWE-908
CWE-358
CWE-20
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge (Chromium-based)
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Advisory

1) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21201

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the permissions component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21201

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21212

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Network Config UI in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21212

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of uninitialized resource

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21219

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21219

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of uninitialized resource

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21218

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21218

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use of uninitialized resource

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21217

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of uninitialized resources in PDFium in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21217

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21216

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21216

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21215

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21215

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21214

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Network API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21214

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Use-after-free

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21213

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebMIDI in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21213

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21211

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21211

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21202

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the extensions component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21202

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21210

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Network in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21210

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improperly implemented security check for standard

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21209

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in storage in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21209

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Input validation error

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21208

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in QR scanner in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21208

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21207

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within IndexedDB in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21207

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Input validation error

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21221

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in Mojo in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into opening it and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21221

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21205

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in navigation in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21205

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21204

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21204

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Use-after-free

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21203

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge (Chromium-based): 79.0.309.71, 83.0.478.37, 84.0.522.40, 88.0.705.50, 88.0.705.62, 88.0.705.74, 89.0.774.45, 89.0.774.54, 89.0.774.68, 89.0.774.76, 89.0.774.77

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21203

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###