Gentoo update for Microsoft Edge



| Updated: 2024-10-25
Risk High
Patch available YES
Number of vulnerabilities 16
CVE-ID CVE-2023-29345
CVE-2023-33143
CVE-2023-33145
CVE-2023-35618
CVE-2023-36022
CVE-2023-36029
CVE-2023-36034
CVE-2023-36409
CVE-2023-36559
CVE-2023-36562
CVE-2023-36727
CVE-2023-36735
CVE-2023-36741
CVE-2023-36787
CVE-2023-36880
CVE-2023-38174
CWE-ID CWE-79
CWE-254
CWE-200
CWE-20
CWE-451
CWE-787
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
Gentoo Linux
Operating systems & Components / Operating system

www-client/microsoft-edge
Operating systems & Components / Operating system package or component

Vendor Gentoo

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU76827

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29345

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security features bypass

EUVDB-ID: #VU76828

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-33143

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper input validation. A remote attacker can trick the victim to click on a specially crafted link and spoof the page content or crash the browser.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU77261

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-33145

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in Microsoft Edge. A remote attacker can trick the victim to click on a specially crafted link and obtain sensitive information from a targeted site, such as IDs, tokens, nonces.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Input validation error

EUVDB-ID: #VU83984

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35618

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Input validation error

EUVDB-ID: #VU82693

Risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36022

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing files. A remote attacker can trick the victim to download and open a specially crafted file in browser and execute arbitrary code on the system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Spoofing attack

EUVDB-ID: #VU82695

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36029

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can modify the content of the vulnerable link to redirect the victim to a malicious site.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU82694

Risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36034

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input when processing files. A remote attacker can trick the victim to download and open a specially crafted file in browser and execute arbitrary code on the system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Out-of-bounds write

EUVDB-ID: #VU86050

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36409

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trick the victim to visit a specially crafted website, trigger an out-of-bounds write and write to enclave memory from a host application, which can leak memory contents of the enclave.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Spoofing attack

EUVDB-ID: #VU82009

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36559

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to open a specially crafted URL and spoof page content.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Input validation error

EUVDB-ID: #VU80838

Risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36562

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when handling files. A remote attacker can trick the victim to open a specially crafted file and bypass browser sandbox restrictions.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Spoofing attack

EUVDB-ID: #VU80839

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36727

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick the victim to visit a malicious URL and spoof the content of a legitimate website.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Input validation error

EUVDB-ID: #VU80840

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36735

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a malicious website, bypass browser sandbox restrictions and execute arbitrary code on the system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Input validation error

EUVDB-ID: #VU80020

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36741

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to download a specially crafted file and execute arbitrary code on the system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Input validation error

EUVDB-ID: #VU79666

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36787

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of files. A remote attacker can trick the victim to visit a specially crafted website and execute arbitrary code on the target system.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Information disclosure

EUVDB-ID: #VU83982

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36880

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system and possibly modify data.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Information disclosure

EUVDB-ID: #VU83983

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38174

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information.

Mitigation

Update the affected packages.
www-client/microsoft-edge to version: 120.0.2210.61

Vulnerable software versions

Gentoo Linux: All versions

www-client/microsoft-edge: before 120.0.2210.61

CPE2.3 External links

http://security.gentoo.org/glsa/202402-05


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###