CVE-2024-38207

Out-of-bounds Write (CWE-787)

Published: Aug 22, 2024

010
CVSS 6.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

Microsoft Edge (HTML-based) Memory Corruption Vulnerability. This is a network-based vulnerability with low attack complexity, requiring user interaction. It has low impact on confidentiality, integrity, and availability.

Impact

This vulnerability could allow an attacker to exploit memory corruption in Microsoft Edge (HTML-based). If successful, it could lead to low-level impacts on the confidentiality, integrity, and availability of the affected system. The attack requires user interaction, likely involving convincing a user to visit a malicious website or interact with malicious content.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Educate users about the risks of clicking on untrusted links or visiting suspicious websites. 3. Consider implementing network security measures to detect and block potential exploit attempts. 4. Keep Microsoft Edge and all other software up-to-date with the latest security patches. 5. Use browser security features and extensions that can help prevent malicious scripts from running.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38207. See article

Aug 23, 2024 at 5:06 AM / RedPacket Security
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 23, 2024 at 11:03 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/edge_chromium
+null more

Patches

Microsoft
+null more

References

Microsoft Edge (HTML-based) Memory Corruption Vulnerability
According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). According to the CVSS metric, user interaction is required (UI:R).

News

CVE-2024-38207
Microsoft Edge (HTML-based) Memory Corruption Vulnerability CVE-2024-38207 originally published on CyberSecurityBoard
September’s Patch Tuesday update fixes 4 zero-days
Significant testing will be required for this month’s Microsoft SQL Server patches, which affect both server and desktop components — with a focus on application installations due to a change in how Microsoft Installer handles changes and installation rollbacks. This is a documentation update to a patch released last month to include support for all supported versions of Windows Server.
Microsoft Edge browser security update advisory
Out-of-bounds write vulnerability in the V8 feature in Microsoft Edge (Chromium-based) (CVE-2024-7970) Heap buffer overflow vulnerability in the Skia feature in Microsoft Edge (Chromium-based) (CVE-2024-8198)
Patch Tuesday September 2024 - Four Zero Days
CVE-2024-38217 is rated "Important" but it is the only one for the month that is not only exploited but also publicly disclosed. Of these 107 patches, four are zero days: CVE-2024-43491 is exploited but has not been publicly disclosed.
Third-Party Software Update Catalog Release History – August 2024
Third-Party Software Update Catalog Release History – August 2024 In August 2024, our third-party software update catalog for Microsoft SCCM contained 1039 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for August 2024. 1039 Total Updates 179 Security Updates 131 of the 179 security updates include CVE-IDs 110 New Products New Products: AbaClient 3.2.996.0 (MSI-x86) ACE Service Installer 3.6.16.0 (MSI-x86) All-in-One Messenger 2.5.0.0 (User-x64) Anywhere365 Integrator 1.0.0.1 (MSI-x86) Appeee 1.83.0.0 (User-x64) ApSIC Xbench 3.0.0.1593 (EXE-x64) Autodesk AutoCAD 2025 25.0.116.0 (EXE-x64) Autodesk AutoCAD Architecture 2024 8.6.62.0 (EXE-x64) Autodesk AutoCAD Electrical 2022 19.0.81.0 (EXE-x64) Autodesk AutoCAD Electrical 2023 20.0.73.0 (EXE-x64) Autodesk AutoCAD Electrical 2024 21.0.73.0 (EXE-x64) Autodesk AutoCAD Electrical 2025 22.0.71.0 (EXE-x64) Autodesk AutoCAD LT 2025 25.0.116.0 (EXE-x64) Autodesk Civil 3D 2025 13.7.161.0 (EXE-x64) Autodesk Single Sign On Component 13.8.6.1806 (MSI-x64) Axure RP 10.0.0.3924 (EXE-x86) Azure Connected Machine Agent 1.45.02769.1796 (MSI-x64) BelfiusConnector 3.7.15.0 (MSI-x64) BelfiusConnector 3.7.15.0 (MSI-x86) Bitwarden 2024.7.1.0 (User-x64) BlackBull Markets cBroker Live 9.1.2.58572 (User-x64) BlueBird Connector 3.0.0.0 (MSI-x64) Bria 67.12.4830.0 (MSI-x86) Bria Enterprise 64.10.7302.0 (MSI-x86) Brinno Connect 1.1.9810.0 (EXE-x86) Brother iPrint and Scan 12.0.2.3 (EXE-x86) BrowserStackLocal 3.6.4.0 (MSI-x86) Bytello Share 5.8.0.3788 (EXE-x86) CalDavSynchronizer 4.4.1.0 (MSI-x86) Caption.Ed 2.6.3.0 (User-x64) ClickShare Extension Pack 1.2.0.6 (MSI-x86) Clockify 1.7.92.0 (MSI-x64) Coligo DESKTOP 1.34.10.0 (MSI-x64) Coligo DESKTOP 1.34.10.0 (User-x64) Contour Pointing Devices 3.1.0.0 (MSI-x64) Contour Shuttle 2.13.5.0 (MSI) CSViewer 2.4.0.0 (User-x64) Dalux 3.0.9000.25264 (MSI-x64) Dell Power Manager Service 3.15.0.0 Digiexam 15.0.20.0 (User-x64) DNSFilter Agent 1.13.2.0 (MSI-x64) Docusign Edit 2.7.0.0 (EXE-x64) Docusign Edit 2.7.0.0 (User-x64) DuctZone 1.4.9.0 (EXE-x86) EasyMorph Desktop 5.8.0.6 (User-x64) EasyMorph Server 5.8.0.6 (EXE-x64) FBX Game Recorder 3.20.0.2301 (EXE) Ferdium 6.7.6.0 (EXE-x64) Ferdium 6.7.6.0 (User-x64) Filius 2.6.1.0 (EXE-x64) Fing Desktop 3.7.0.0 (EXE-x64) Franz 5.10.0.0 (User-x64) Fundels 3.2.6.0 (EXE-x86) Google Web Designer 14.0.1.0 (EXE-x64) Google Web Designer 14.0.1.0 (EXE-x86) Hash Tool 1.2.1.0 (EXE-x86) IAP Desktop 2.42.1564.0 (MSI-x64) IAP Desktop 2.42.1564.0 (MSI-x86) Inno Setup 6.3.3.0 (EXE-x86) Inno Setup 6.3.3.0 (User-x86) IVPN Client 3.14.16.0 (EXE-x64) JamLogic 3.139.0.0 (User-x64) JPEGView 1.3.46.0 (MSI-x64) JPEGView 1.3.46.0 (MSI-x86) KNIME Analytics Platform 5.3.0.0 (EXE-x64) KNIME Analytics Platform 5.3.0.0 (User-x64) Kofax Power PDF 5.1 Advanced 5.1.0.3 Macabacus 9.7.1.0 (MSI-x86) ManicTime 24.2.0.6 (MSI-x64) ManicTime 24.2.0.6 (MSI-x86) MirrorOp 2.5.4.70 (MSI-x86) NETworkManager 24.6.15.0 (MSI-x64) NXLog Community Edition 3.2.2329.0 (MSI) OpenBoard 1.7.1.240 (EXE) pCon.planner ME 8.10.0.104 (EXE-x64) pCon.planner PRO 8.10.0.104 (EXE-x64) pCon.planner STD 8.10.0.104 (EXE-x64) PDF Studio 2024 2024.0.1.0 (EXE-x64) PDF Studio 2024 2024.0.1.0 (EXE-x86) PDF Studio Latest 2024.0.1.0 (EXE-x64) PDF Studio Latest 2024.0.1.0 (EXE-x86) PDF Studio Viewer 2024.0.1.0 (EXE-x64) PDF Studio Viewer 2024.0.1.0 (EXE-x86) PDF Studio Viewer Latest 2024.0.1.0 (EXE-x64) PDF Studio Viewer Latest 2024.0.1.0 (EXE-x86) Profit Communication Center 2.9.1400.103 (EXE) QAWeb Enterprise Agent 2.15.0.0 (EXE-x64) QTextPad 1.11.0.0 (EXE-x64) RenderDoc 1.34.0.0 (MSI-x64) RenderDoc 1.34.0.0 (MSI-x86) Splunk ACS CLI 2.14.0.0 (EXE-x64) Splunk Universal Forwarder 9.3 9.3.0.0 (MSI-x64) Splunk Universal Forwarder 9.3 9.3.0.0 (MSI-x86) Sweet Home 3D 7.5.0 (EXE-x64) Tableau Reader Latest 24.2.801.0 (EXE-x64) TalkType 3.1.0 (User-x64) Todoist 9.7.2.0 (User-x64) TurboVNC 3.1.2.0 (EXE-x64) TurboVNC 3.1.2.0 (EXE-x86) Vagrant 2.4.1 (MSI-x64) Vagrant 2.4.1 (MSI-x86) Vagrant VMware Utility 1.0.22.0 (MSI-x64) Visual Paradigm Project Viewer 17.2.0.0 (EXE-x64) Windows Subsystem for Linux 2.2.4.0 (MSI-x64) Write 3.0.1489.0 (MSI-x64) Zotero 7.0.1.0 (EXE-x64) Zscaler Client Connector 4.5 v4.5.0.286 (MSI-x64) Zscaler Client Connector 4.5 v4.5.0.286 (MSI-x86) Zulu JRE 21.36.17.0 (MSI-x64) Zulu JRE Latest 21.36.17.0 (MSI-x64) Updates Added: (Oldest to Newest) 8×8 Work 8.15.2.7 (MSI-x64) Release Notes for 8×8 Work 8.15.2.7 (MSI-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/61 VirusTotal Latest Scan Results (MSI-x64) AWS Command Line Interface v2 2.17.21.0 (x64) Release Notes for AWS Command Line Interface v2 2.17.21.0 (x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/52
See 18 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI