#VU9863 Cross-domain policy bypass in Microsoft Edge - CVE-2018-0803
Published: January 3, 2018 / Updated: January 4, 2018
Vulnerability identifier: #VU9863
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-0803
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Microsoft Edge
Microsoft Edge
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to improper enforcement of cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. A remote attacker can create a specially crafted web page, trick the victim into opening it and replace contents in another user's tab.
Successful exploitation of the vulnerability may allow an attacker to steal victim's credentials to another website, perform phishing and drive-by download attacks.
The vulnerability exists due to improper enforcement of cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. A remote attacker can create a specially crafted web page, trick the victim into opening it and replace contents in another user's tab.
Successful exploitation of the vulnerability may allow an attacker to steal victim's credentials to another website, perform phishing and drive-by download attacks.
Remediation
Install updates from vendor's website.