FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38221

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Sep 19, 2024

010
CVSS 4.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A spoofing vulnerability has been identified in Microsoft Edge (Chromium-based). This vulnerability is related to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). The vulnerability affects versions of Microsoft Edge (Chromium-based) prior to 129.0.2792.52.

Impact

If exploited, this vulnerability could allow an attacker to perform cross-site scripting attacks. The potential impacts include: 1. Spoofing: An attacker could trick users into believing they are interacting with a legitimate website when they are not. 2. Information disclosure: Sensitive user data could be stolen if the attacker manages to execute malicious scripts in the context of the user's browser. 3. Session hijacking: The attacker might be able to steal session tokens and impersonate the user on the affected website. 4. Phishing: Users could be redirected to malicious websites or presented with fake forms to steal credentials. The severity of this vulnerability is considered moderate, with a CVSS v3.1 base score of 4.3. The impact on integrity is low, while there is no direct impact on confidentiality or availability. User interaction is required for successful exploitation, which somewhat mitigates the risk.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. Microsoft has released an update to address the issue in Edge (Chromium-based) version 129.0.2792.52 and later. The security team should prioritize updating Microsoft Edge to this version or newer to mitigate the risk.

Mitigation

To mitigate this vulnerability, the following steps are recommended: 1. Update Microsoft Edge: Apply the latest security update to bring Edge to version 129.0.2792.52 or later. 2. Enable automatic updates: Configure Microsoft Edge to automatically install updates to ensure timely protection against future vulnerabilities. 3. User education: Inform users about the risks of clicking on suspicious links or interacting with untrusted websites. 4. Implement content security policies: Use CSP headers to restrict the sources of content that can be loaded by the browser, reducing the risk of XSS attacks. 5. Input validation and output encoding: Encourage development teams to implement proper input validation and output encoding practices in web applications to prevent XSS vulnerabilities. 6. Consider using browser extensions: Recommend security extensions that can help detect and prevent XSS attacks for an added layer of protection. 7. Monitor for exploitation: Use intrusion detection systems and web application firewalls to detect and block potential XSS attacks targeting this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Timeline

CVSS

A CVSS base score of 4.3 has been assigned.

Sep 19, 2024 at 8:55 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-38221. See article

Sep 19, 2024 at 9:00 PM / Microsoft Security Advisories - MSRC
CVE Assignment

NVD published the first details for CVE-2024-38221

Sep 19, 2024 at 9:15 PM
CVSS Estimate

Feedly estimated the CVSS score as LOW

Sep 19, 2024 at 9:31 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 19, 2024 at 10:56 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380529)

Sep 20, 2024 at 7:16 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.7%)

Sep 20, 2024 at 10:02 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207516)

Sep 20, 2024 at 5:15 PM
EPSS

EPSS Score was set to: 0.06% (Percentile: 28.5%)

Nov 19, 2024 at 2:42 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/edge_chromium
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

References

CVE-2024-38221 - Security Update Guide - Microsoft - Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Security Response Center / 2mo
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Security Advisories - MSRC / 2mo
According to the CVSS metric, user interaction is required (UI:R). According to the CVSS metric, user interaction is required (UI:R).
CVE-2024-38221 Microsoft Edge (Chromium-based) Spoofing Vulnerability
MSRC Security Update Guide / 2mo
Information published.

News

CVE-2024-38221 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Fedia / 21d
Patch Tuesday October 2024 - Five Zero Days
Ultimate Windows Security Newsletter / 41d
Besides these zero days we have five CVE's rated critical: These mainly affect Windows OS's as well as MS Configuration Manager and some one offs for Dynamics and the GroupMe app. CVE-2024-43572 is a remote code execution vulnerability with a rating of important.
Third-Party Software Update Catalog Release History – September 2024
Patch My PC / 50d
Third-Party Software Update Catalog Release History – September 2024 In September 2024, our third-party software update catalog for Microsoft SCCM contained 1047 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for September 2024. 1047 Total Updates 234 Security Updates 161 of the 234 security updates include CVE-IDs 92 New Products New Products: 365 Pro Toolkit 1.1.7.0 (MSI-x64) 3DF Zephyr Free 7.531.0.0 (EXE-x64) 4K Video Downloader+ 1.9.0.0128 (MSI-x64) 4K Video Downloader+ 1.9.0.0128 (MSI-x86) AD Pro Toolkit 2.0.6.0 (MSI-x64) ALLPlayer 9.2.0.0 (EXE-x64) Amazon CloudWatch Agent 1.4.37900.0 (MSI-x64) Arixcel Explorer 8.8.9014.39368 (MSI-x64) Benthic Software Golden 8.0.0.801 (EXE-x64) Benthic Software Golden 8.0.0.801 (EXE-x86) Bitfocus Companion 3.4.0 (EXE-x64) Bitfocus Companion Satellite 1.9.1.0 (EXE-x64) Boardmaker Editor 7.2.6 (MSI-x64) Chez Scheme 10.0.0.0 (EXE-x64) Cisco Jabber 15 15.0.0.59289 (MSI-x86) Cisco JVDI Agent 12 12.9.3.55062 (MSI-x86) Cisco JVDI Agent 14 14.3.1.58744 (MSI-x86) Cisco JVDI Agent 15 15.0.0.59289 (MSI-x86) Cisco Webex Device Connector 1.1.439.0 (MSI-x64) Clip2net 3.3.2.409 (EXE-x86) ClockAssist 1.1.9001.20858 (MSI-x64) Cold Turkey Blocker 4.5.0.0 (EXE-x64) CoScreen 7.10.144.0 (User-x64) Cricut Design Space 8.45.55.0 (User-x64) Cryptainer LE Latest 17.5.1.0(EXE-x86) Cryptainer LE v17 17.5.1.0(EXE-x86) CrystalDiskInfo 9.4.2.0 (EXE-x64) DATEV Sicherheitspaket compact 7.8.104.24242 (EXE-x86) DATEV SmartVerify 1.3.101.23207 (EXE-x86) DATEV-SmartIT Connect 3.9.100.2 (EXE-x86) DisplayNote App 2.35.2.36474 (EXE-x86) DisplayNote App 2.35.2.36474 (MSI-x86) e-Design 1.14.0.0002 (EXE-x86) EdrawMind 11.1.9.838 (EXE-x86) emotachDirect 9.2.0.0 (EXE-x86) Evoluent Mouse Manager 6.0.9.3 (MSI-x86) ExamDiff 1.9.4.0 (EXE-x86) ExpertGPS 8.66.0.0 (EXE-x86) Exr-IO 2.06.0 (EXE) Extensis Connect Fonts 25.1.3.11739 (EXE-x64) f.lux 4.134.0 (User-x64) FastPictureViewer Professional 1.95.400.0 (MSI-x64) FxSound 1.1.26.0 (EXE-x64) GeoGebra CAS Calculator 6.0.853.0 (User-x64) GeoGebra Classic v5 5.2.853.0 (MSI-x86) GeoGebra Classic v6 6.0.853.0 (MSI-x86) GeoGebra Graphing Calculator 6.0.853.0 (User-x64) Grunt 24.0.4087.0 (MSI-x64) Grunt 24.0.4087.0 (MSI-x86) HP Prime Virtual Calculator 2.1.14730.79 (EXE-x64) ideaMaker 5.1.0.8435 (EXE-x64) Identity Enterprise 0.78.3.281 (MSI-x64) IPEVO Annotator 4.6.151.0 (MSI-x86) IPEVO CamControl 1.7.0.2 (MSI-x86) IPEVO EyeStage 1.6.3.0 (MSI-x86) IPEVO SnapCapture OCR 2.3.3.3 (MSI-x64) IPEVO Visualizer 3.6.6.0 (MSI-x86) IPEVO Visualizer LTSE 1.2.73.0 (MSI-x86) Jet Screenshot 3.1.0.0 (EXE-x86) KeySignConnector 3.7.9.0 (MSI-x64) KeySignConnector 3.7.9.0 (MSI-x86) Kinovea 2023.1.2 (EXE-x64) Lifesize 3.0.17.0 (User-x64) Microsoft Report Builder 15.0.20283.0 (MSI-x86) Minikube 1.34.0.0 (EXE-x64) MiTeam Meetings 1.7.0.0 (User-x64) Mozilla Firefox 130.0.1.0 (x64 ja) Mozilla Firefox 130.0.1.0 (x86 ja) MySQL Connector NET 9.0 (MSI-x86) MySQL Connector ODBC 9.0.0 (MSI-x64) NETIO Discover 1.0.13.0 (EXE-x86) PowerShell 7.4 LTS 7.4.5.0 (MSI-x64) PowerShell 7.4 LTS 7.4.5.0 (MSI-x86) Remote Utilities Host 7.5.1 (MSI-x86) Remote Utilities Viewer 7.5.1 (EXE-x86) SecureCRT 9.5.2.0 (EXE-x86) SecureFX 9.5.2.0 (EXE-x64) SecureFX 9.5.2.0 (EXE-x86) Shutter Encoder 18.5.0 (EXE-x64) Snowflake ODBC Driver 3.4.1 (MSI-x64) Snowflake ODBC Driver 3.4.1 (MSI-x86) Snowflake SnowSQL 1.3.2 (MSI-x64) Studio 3T 2024.3.1.0 (EXE-x64) VideoScribe 3.14.1 (MSI-x64) WatchGuard Mobile VPN with SSL 12.10.4.0 (EXE-x86) WeCom 4.1.28.6019 (EXE-x86) Weka 3.8.6 (EXE) Zivver Office Plugin 6.4.0.0 (MSI-x86) Zulip 5.11.1.0 (EXE-x64) Zulip 5.11.1.0 (MSI-x64) Zulip 5.11.1.0 (MSI-x86) Zulip 5.11.1.0 (User-x64) Updates Added: (Oldest to Newest) AOVPN Dynamic Profile Configurator 4.4.0 (MSI-x64) Release Notes for AOVPN Dynamic Profile Configurator 4.4.0 (MSI-x64) Release Type: ⬤ ⬤ Scan Detection Ratio 0/66 VirusTotal Latest Scan Results (MSI-x64) Bandicam 7.1.4.2458 (x64) Release Notes for Bandicam 7.1.4.2458 (x64) Release Type: ⬤ Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (x64) Canva 1.94.0 (User-x64) Release Notes for Canva 1.94.0 (User-x64) Release Type:
Government urges these Microsoft users to immediately update their devices - Times of India
Google Alert - csirt OR "computer security incident response team" OR "computer security incident readiness team" OR "computer emergency response team" / 55d
In its advisory issued on September 24, 2024, the cyber security agency urges users to update their devices to the latest software version. The Indian Computer Emergency Response Team (CERT-In) has discovered multiple vulnerabilities in Microsoft Edge that can be exploited by a remote attacker to trigger remote code execution on the affected devices.
Government Urges Microsoft Users to Update Devices Immediately, Microsoft’s Tool To Correct AI Hallucinations
My Mobile India / 55d
The Indian government has issued an urgent advisory for users of certain Microsoft products to update their devices immediately. CERT-In issued an urgent advisory for users of Microsoft Windows, Office, and Edge.
See 21 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

CVSS 4.3(21798)CWE-79(31345)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial