Multiple vulnerabilities in Microsoft Edge



Published: 2021-09-02
Risk High
Patch available YES
Number of vulnerabilities 21
CVE-ID CVE-2021-30624
CVE-2021-30613
CVE-2021-30606
CVE-2021-30607
CVE-2021-30608
CVE-2021-30609
CVE-2021-30610
CVE-2021-30611
CVE-2021-30612
CVE-2021-30614
CVE-2021-30623
CVE-2021-30615
CVE-2021-30616
CVE-2021-30617
CVE-2021-30618
CVE-2021-30619
CVE-2021-30620
CVE-2021-30621
CVE-2021-30622
CVE-2021-36930
CVE-2021-26436
CWE-ID CWE-416
CWE-122
CWE-200
CWE-284
CWE-358
CWE-451
CWE-264
CWE-20
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 21 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU56213

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-30624

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use-after-free error in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Use-after-free

EUVDB-ID: #VU56205

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30613

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Base internals in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Use-after-free

EUVDB-ID: #VU56198

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30606

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU56199

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30607

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Permissions component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU56200

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30608

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Web Share component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Use-after-free

EUVDB-ID: #VU56201

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30609

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sign-In component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU56202

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30610

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Extensions API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Use-after-free

EUVDB-ID: #VU56203

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30611

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebRTC in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Use-after-free

EUVDB-ID: #VU56204

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30612

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebRTC in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Heap-based buffer overflow

EUVDB-ID: #VU56206

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30614

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in TabStrip. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Use-after-free

EUVDB-ID: #VU56212

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-30623

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use-after-free error in Bookmarks in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and crash the browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Information disclosure

EUVDB-ID: #VU56214

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30615

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to cross-domain data leak in Navigation in Google Chrome. A remote attacker can trick the victim to open a specially crafted website and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Use-after-free

EUVDB-ID: #VU56207

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30616

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Media in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Improper access control

EUVDB-ID: #VU56208

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30617

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions in Blink. A remote attacker can create a specially crafted web page, trick the victim into visiting it, bypass implemented security restrictions and gain unauthorized access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Improperly implemented security check for standard

EUVDB-ID: #VU56209

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-30618

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Spoofing attack

EUVDB-ID: #VU56215

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30619

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data in Autofill in Google Chrome. A remote attacker can spoof page content.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU56210

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30620

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Blink in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Spoofing attack

EUVDB-ID: #VU56216

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30621

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data in Autofill in Google Chrome. A remote attacker can spoof page content.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Use-after-free

EUVDB-ID: #VU56211

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-30622

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebApp Installs in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

20) Input validation error

EUVDB-ID: #VU56281

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-36930

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to open a specially crafted file and bypass implemented security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36930

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

21) Cross-site scripting

EUVDB-ID: #VU56279

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-26436

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 92.0.902.84


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26436

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###