Cross-domain policy bypass in Microsoft Edge - CVE-2018-0803
Published: January 3, 2018 / Updated: January 4, 2018
Vulnerability identifier: #VU9863
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-0803
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Edge
Microsoft Edge
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to improper enforcement of cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. A remote attacker can create a specially crafted web page, trick the victim into opening it and replace contents in another user's tab.
Successful exploitation of the vulnerability may allow an attacker to steal victim's credentials to another website, perform phishing and drive-by download attacks.
The vulnerability exists due to improper enforcement of cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. A remote attacker can create a specially crafted web page, trick the victim into opening it and replace contents in another user's tab.
Successful exploitation of the vulnerability may allow an attacker to steal victim's credentials to another website, perform phishing and drive-by download attacks.
How to mitigate CVE-2018-0803
Install updates from vendor's website.