SB2024020404 - Gentoo update for Microsoft Edge
Published: February 4, 2024 Updated: October 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2023-29345)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Security features bypass (CVE-ID: CVE-2023-33143)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation. A remote attacker can trick the victim to click on a specially crafted link and spoof the page content or crash the browser.
3) Information disclosure (CVE-ID: CVE-2023-33145)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in Microsoft Edge. A remote attacker can trick the victim to click on a specially crafted link and obtain sensitive information from a targeted site, such as IDs, tokens, nonces.
4) Input validation error (CVE-ID: CVE-2023-35618)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the system.
5) Input validation error (CVE-ID: CVE-2023-36022)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing files. A remote attacker can trick the victim to download and open a specially crafted file in browser and execute arbitrary code on the system.
6) Spoofing attack (CVE-ID: CVE-2023-36029)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can modify the content of the vulnerable link to redirect the victim to a malicious site.
7) Input validation error (CVE-ID: CVE-2023-36034)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
8) Out-of-bounds write (CVE-ID: CVE-2023-36409)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trick the victim to visit a specially crafted website, trigger an out-of-bounds write and write to enclave memory from a host application, which can leak memory contents of the enclave.
9) Spoofing attack (CVE-ID: CVE-2023-36559)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to open a specially crafted URL and spoof page content.
10) Input validation error (CVE-ID: CVE-2023-36562)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling files. A remote attacker can trick the victim to open a specially crafted file and bypass browser sandbox restrictions.
11) Spoofing attack (CVE-ID: CVE-2023-36727)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to visit a malicious URL and spoof the content of a legitimate website.
12) Input validation error (CVE-ID: CVE-2023-36735)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a malicious website, bypass browser sandbox restrictions and execute arbitrary code on the system.
13) Input validation error (CVE-ID: CVE-2023-36741)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to download a specially crafted file and execute arbitrary code on the system.
14) Input validation error (CVE-ID: CVE-2023-36787)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of files. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the target system.
15) Information disclosure (CVE-ID: CVE-2023-36880)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system and possibly modify data.
16) Information disclosure (CVE-ID: CVE-2023-38174)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information.
Remediation
Install update from vendor's website.