Multiple vulnerabilities in Microsoft Edge for Android

Published: 2021-09-03

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-26439 CVE-2021-38641
CWE-ID	CWE-200 CWE-451
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Microsoft Edge for Android Client/Desktop applications / Web browsers
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU56292

Risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-26439

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the Microsoft Edge for Android. An attacker with physical access can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge for Android: All versions

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26439

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Spoofing attack

EUVDB-ID: #VU56293

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38641

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)