Multiple vulnerabilities in Microsoft Edge



Published: 2022-04-29
Risk High
Patch available YES
Number of vulnerabilities 25
CVE-ID CVE-2022-1487
CVE-2022-29146
CVE-2022-29147
CVE-2022-1477
CVE-2022-1478
CVE-2022-1479
CVE-2022-1480
CVE-2022-1481
CVE-2022-1482
CVE-2022-1483
CVE-2022-1484
CVE-2022-1485
CVE-2022-1488
CVE-2022-1486
CVE-2022-1490
CVE-2022-1491
CVE-2022-1492
CVE-2022-1493
CVE-2022-1494
CVE-2022-1495
CVE-2022-1497
CVE-2022-1498
CVE-2022-1499
CVE-2022-1500
CVE-2022-1501
CWE-ID CWE-416
CWE-264
CWE-20
CWE-358
CWE-122
CWE-843
CWE-451
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft Edge
Client/Desktop applications / Web browsers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 25 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU62619

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1487

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Ozone in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1304368
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1487

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU62700

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29146

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions. A remote attacker can trick the victim to visit a specially crafted website, escape browser sandbox and execute arbitrary code on the system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29146

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU62701

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29147

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to visit a specially crafted website while using Edge in Internet Explorer Mode and bypass certain security restrictions.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29147

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU62609

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1477

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Vulkan component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1313905
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1477

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU62610

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1478

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1299261
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1478

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU62611

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1479

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the ANGLE component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1305190
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1479

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use-after-free

EUVDB-ID: #VU62612

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1480

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Device API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1307223
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1480

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use-after-free

EUVDB-ID: #VU62613

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1481

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sharing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1302949
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1481

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improperly implemented security check for standard

EUVDB-ID: #VU62614

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1482

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in WebGL in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1304987
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1482

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Heap-based buffer overflow

EUVDB-ID: #VU62615

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1483

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebGPU. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1314754
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1483

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Heap-based buffer overflow

EUVDB-ID: #VU62616

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1484

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Web UI Settings. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1297429
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1484

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU62617

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1485

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File System API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1299743
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1485

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improperly implemented security check for standard

EUVDB-ID: #VU62620

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1488

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1302959
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1488

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Type Confusion

EUVDB-ID: #VU62618

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1486

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a type confusion error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1314616
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1486

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU62622

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1490

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Browser Switcher in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1301840
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1490

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use-after-free

EUVDB-ID: #VU62623

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1491

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Bookmarks in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1305706
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1491

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Input validation error

EUVDB-ID: #VU62624

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1492

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Blink Editing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1315040
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1492

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Use-after-free

EUVDB-ID: #VU62625

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1493

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Dev Tools in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1275414
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1493

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Input validation error

EUVDB-ID: #VU62626

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1494

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Trusted Types in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1298122
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1494

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Spoofing attack

EUVDB-ID: #VU62627

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1495

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Downloads in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1301180
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1495

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improperly implemented security check for standard

EUVDB-ID: #VU62629

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1497

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Input in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1264543
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1497

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Improperly implemented security check for standard

EUVDB-ID: #VU62630

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1498

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in HTML Parser in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1297138
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1498

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improperly implemented security check for standard

EUVDB-ID: #VU62631

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1499

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in WebAuthentication in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1000408
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1499

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Input validation error

EUVDB-ID: #VU62632

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1500

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in Dev Tools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1223475
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1500

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Improperly implemented security check for standard

EUVDB-ID: #VU62633

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1501

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in iframe in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Install updates from Microsoft website.

Vulnerable software versions

Microsoft Edge: 79.0.309.71 - 100.0.1185.50


CPE2.3 External links

http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_26.html
http://crbug.com/1293191
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1501

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###