CVE-2016-7199
published 2016-11-10CVE-2016-7199: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state…
PriorityP416low3.1CVSS 3.0
AVNACHPRNUIRSUCLINAN
EPSS
13.09%
95.9th percentile
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | microsoft_edge | — | — |
CVSS provenance
nvdv3.03.1LOWCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
vendor_msrc4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfv6-v72g-wm88: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state
ghsa_unreviewed·2022-05-14
CVE-2016-7199 [LOW] CWE-200 GHSA-cfv6-v72g-wm88: Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability."
Microsoft
Microsoft Browser Information Disclosure Vulnerability
vendor_msrc·2016-11-08·CVSS 4.3
CVE-2016-7199 [LOW] Microsoft Browser Information Disclosure Vulnerability
Microsoft Browser Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain.
For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website.
This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access.
Microsoft Browsers: Microsoft Browsers
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:Yes;Exploited:No;Latest Software Release:Exploitation Less Likely
No detection rules found.
No public exploits indexed.
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server | Qualys
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
Qualys
Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
blogs_qualys·2016-11-08·CVSS 3.1
CVE-2016-7255 [LOW] Patch Tuesday: Microsoft Patches Actively Exploited Kernel and OpenType Font, Three Previously Disclosed Browser Issues and SQL Server
Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and wer
http://www.securityfocus.com/bid/94057http://www.securitytracker.com/id/1037245https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-129https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-142http://www.securityfocus.com/bid/94057http://www.securitytracker.com/id/1037245https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-129https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-142
2016-11-10
Published