CVE-2024-38156

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Jul 17, 2024

010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

Microsoft Edge (Chromium-based) has a spoofing vulnerability. This is a network-based vulnerability with low attack complexity, requiring user interaction. It can potentially change the scope of the attack and has low impacts on confidentiality and integrity, but no impact on availability.

Impact

If exploited, this vulnerability could allow an attacker to spoof content in Microsoft Edge (Chromium-based). The attack requires user interaction and can potentially extend beyond its original scope. While the direct confidentiality and integrity impacts are low, the changed scope suggests potential for broader consequences. There is no impact on system availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability. The vulnerability affects Microsoft Edge versions prior to 126.0.2592.102.

Mitigation

1. Apply the latest security update for Microsoft Edge (Chromium-based) as soon as possible. 2. Educate users about the risks of interacting with suspicious content or links in the browser. 3. Consider implementing additional security measures such as web filtering or advanced threat protection to help mitigate the risk of spoofing attacks. 4. Monitor for any unusual activity or reports of spoofing incidents in your environment.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38156. See article

Jul 12, 2024 at 9:36 PM / Patch My PC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jul 17, 2024 at 8:51 PM
CVSS

A CVSS base score of 6.1 has been assigned.

Jul 17, 2024 at 8:55 PM / microsoft
Trending

This CVE started to trend in security discussions

Jul 18, 2024 at 8:14 AM
CVE Assignment

NVD published the first details for CVE-2024-38156

Jul 19, 2024 at 2:15 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.4%)

Jul 19, 2024 at 10:22 AM
Trending

This CVE stopped trending in security discussions

Jul 21, 2024 at 6:23 AM
Static CVE Timeline Graph

Affected Systems

Microsoft/edge
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

References

CVE-2024-38156 - Security Update Guide - Microsoft - Microsoft Edge (Chromium-based) Spoofing Vulnerability
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
Microsoft Edge (Chromium-based) Spoofing Vulnerability
According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)?
CVE-2024-38156 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Information published.

News

Patch Tuesday August 2024 - TEN Zero Days!
They consist of elevation of privilege, remote code execution and security feature bypass vulnerabilities. Next are the exploits that are currently being exploited: These six are rated moderate and important; none critical.
Third-Party Software Update Catalog Release History – July 2024
Third-Party Software Update Catalog Release History – July 2024 In July 2024, our third-party software update catalog for Microsoft SCCM contained 1100 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for July 2024. 1100 Total Updates 316 Security Updates 239 of the 316 security updates include CVE-IDs 62 New Products New Products: AIMP 5.30.2560.0 (EXE-x64) AIMP 5.30.2560.0 (EXE-x86) Alfaview 9.13.0 (MSI-x64) Alfaview 9.13.0 (User-x64) Android Studio 2024.1.0 (EXE-x64) Anyware PCoIP Client 24.3.4.0 (EXE-x64) Appium Inspector 2024.6.1.0 (EXE-x64) Appium Inspector 2024.6.1.0 (User-x64) ASAP Utilities 8.6.0.0 (EXE-x86) ATLAS.ti 24.1.1.30813 (MSI-x64) Beyond Compare 5.0.0.29773 (EXE-x64) Beyond Compare 5.0.0.29773 (User-x64) BlueJ 5.3.0.0 (MSI-x64) Brave 126.1.67.123 (EXE-x64) Brave 126.1.67.123 (User-x64) Coder 2.12.3.0 CrashPlan 11.4.0.503 (MSI-x64) Crestron AirMedia 5.9.1.245 (MSI-x86) Crestron AirMedia 5.9.1.245 (User-x64) Dolphin EasyReader 11.0.1.593 (EXE-x86) doPDF Latest 11.9.465.0 (EXE-x64) Fusion 2022.2402.1.400 (EXE-x64) Fusion 2023.2402.1.400 (EXE-x64) Fusion 2024.2406.14.400 (EXE-x64) Fuze 23.11.14510.0 (EXE-x64) Global Relay 3.5.0.0 (User-x64) KeeWeb 1.18.7.0 (EXE-x64) LuxTrust Middleware 1.8.0.4 (EXE-x64) MakerBot Print 4.10.1.2056 (EXE-x64) Microsoft Visual Studio 2010 Tools for Office Runtime 10.0.60917.0 (EXE-x64) Mirth Connect Administrator Launcher 1.4.1 (EXE-x64) Mirth Connect Administrator Launcher 1.4.1 (EXE-x86) NordVPN 7.26.2.0 (EXE-x64) Oh My Posh 22.0.3 (EXE-x64) Oh My Posh 22.0.3 (User-x64) pdfFiller 1.0.89.0 (EXE-x86) Proton Drive 1.6.2.0 (User-x64) Proton Mail 1.0.5.0 (User-x64) Proton Mail Bridge 3.12.0.0 (EXE-x64) Proton Pass 1.20.2.0 (User-x64) Proton VPN 3.2.12.0 (EXE) Qlik Sense Desktop 14.187.7.0 (User-x64) QlikView Desktop 12.90.20000.0 (EXE-x64) QlikView Plugin 12.90.20000.0 (EXE-x86) REAPER 7.18.0 (EXE-x64) REAPER 7.18.0 (EXE-x86) Refinitiv Workspace 1.25.180.0 (EXE-x64) Refinitiv Workspace 1.25.180.0 (User-x64) RustDesk 1.2.6.0 (EXE-x64) RustDesk 1.2.6.0 (EXE-x86) RustDesk 1.2.6.0 (MSI-x64) RVTools 4.6.1.0 (MSI-x86) Sophos Connect 2.3.1.0619 (MSI-x86) Tulip Player 2.5.1.0 (MSI-x64) Upscayl 2.11.5.0 (EXE-x64) Wacom Tablet Driver 6.4.6.2 (EXE-x64) Wazuh Agent 4.8.0.0 (MSI-x86) Xink Client AD 3.2.41.0 (MSI-x86) XPress 2.19.3.11008 (MSI-x64) XSplit VCam 4.2.2402.0903 (EXE-x64) Zorus Archon Agent 4.2.5.0 (EXE-x64) Zscaler Client Connector for VDI 1.3.014.0 (MSI-x64) Updates Added: (Oldest to Newest) Bruno 1.20.0 (User-x64) Release Notes for Bruno 1.20.0 (User-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/63 VirusTotal Latest Scan Results (User-x64) CCleaner 6.25.11131 Release Notes for CCleaner 6.25.11131 Release Type: ⬤ ⬤ Scan Detection Ratio 0/71
Patch My PC Catalog Update – July 19, 2024
The 07/19/24 catalog release contains bug, feature and security-related updates. Release Notes for K-Lite Full Codec Pack 18.4.8
CVE-2024-38156
Medium Severity Description Microsoft Edge (Chromium-based) Spoofing Vulnerability Read more at https://www.tenable.com/cve/CVE-2024-38156
Medium - CVE-2024-38156 - Microsoft Edge (Chromium-based) Spoofing...
Microsoft Edge (Chromium-based) Spoofing Vulnerability
See 13 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI