Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Microsoft Edge (Chromium-based) has a spoofing vulnerability. This is a network-based vulnerability with low attack complexity, requiring user interaction. It can potentially change the scope of the attack and has low impacts on confidentiality and integrity, but no impact on availability.
If exploited, this vulnerability could allow an attacker to spoof content in Microsoft Edge (Chromium-based). The attack requires user interaction and can potentially extend beyond its original scope. While the direct confidentiality and integrity impacts are low, the changed scope suggests potential for broader consequences. There is no impact on system availability.
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
A patch is available. Microsoft has released an official fix for this vulnerability. The vulnerability affects Microsoft Edge versions prior to 126.0.2592.102.
1. Apply the latest security update for Microsoft Edge (Chromium-based) as soon as possible. 2. Educate users about the risks of interacting with suspicious content or links in the browser. 3. Consider implementing additional security measures such as web filtering or advanced threat protection to help mitigate the risk of spoofing attacks. 4. Monitor for any unusual activity or reports of spoofing incidents in your environment.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Feedly found the first article mentioning CVE-2024-38156. See article
Feedly estimated the CVSS score as MEDIUM
A CVSS base score of 6.1 has been assigned.
This CVE started to trend in security discussions
NVD published the first details for CVE-2024-38156
EPSS Score was set to: 0.05% (Percentile: 17.4%)
This CVE stopped trending in security discussions