Vulnerability identifier: #VU74028

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28286

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Edge
Client/Desktop applications / Web browsers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

the vulnerability exists due to improper implementation of security restrictions. A remote attacker can trick the victim to open a specially crafted URL and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Edge: 111.0.1661.41 - 111.0.1661.51, 110.0.1587.41 - 110.0.1587.69, 109.0.1343.27 - 109.0.1518.78, 108.0.1293.81 - 108.0.1462.95, 106.0.1370.34 - 106.0.1370.86, 107.0.1418.24 - 107.0.1418.62, 105.0.1343.25 - 105.0.1343.53, 104.0.1293.47 - 104.0.1293.91, 103.0.1264.37 - 103.0.1264.77, 102.0.1245.30 - 102.0.1245.62, 101.0.1210.32 - 101.0.1210.53, 100.0.1185.29 - 100.0.1185.60, 98.0.1108.43 - 98.0.1108.92, 99.0.1150.30 - 99.0.1150.55, 97.0.1072.55 - 97.0.1072.76, 96.0.1054.29 - 96.0.1054.75, 95.0.1020.30 - 95.0.1020.53, 94.0.992.31 - 94.0.992.58, 79.0.309.71 - 79.0.3945.130, 93.0.961.38 - 93.0.961.52, 92.0.902.55 - 92.0.902.84, 91.0.864.37 - 91.0.864.71, 90.0.818.39 - 90.0.818.66, 89.0.774.45 - 89.0.774.77, 88.0.705.50 - 88.0.705.81, 87.0.664.41 - 87.0.664.75, 86.0.622.43 - 86.0.622.69, 84.0.522.40, 83.0.478.37

---

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28286

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.