CVE-2017-0002
published 2017-01-10CVE-2017-0002: Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge Elevation…
PriorityP351high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
14.89%
96.3th percentile
Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge Elevation of Privilege Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_edge_on_windows_10_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_server_2016 | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Internet Explorer Elevation of Privilege Vulnerability
vendor_msrc·2017-01-10·CVSS 5.4
CVE-2017-0002 [HIGH] Internet Explorer Elevation of Privilege Vulnerability
Internet Explorer Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into
GHSA
GHSA-rr5r-hxx7-jmq7: Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge
ghsa_unreviewed·2022-05-13
CVE-2017-0002 [HIGH] GHSA-rr5r-hxx7-jmq7: Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge
Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge Elevation of Privilege Vulnerability."
No detection rules found.
No public exploits indexed.
Qualys
Microsoft Starts 2017 with Record Low Security Updates | Qualys
blogs_qualys·2017-01-10·CVSS 8.8
[HIGH] Microsoft Starts 2017 with Record Low Security Updates | Qualys
Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.
In today’
Qualys
Microsoft Starts 2017 with Record Low Security Updates
blogs_qualys·2017-01-10·CVSS 8.8
[HIGH] Microsoft Starts 2017 with Record Low Security Updates
Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS. It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide . The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.
In today
Bugzilla
CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
bugzilla·2017-10-09·CVSS 7.0
CVE-2017-12189 [HIGH] CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
It was reported that the jbossas init script performed unsafe file handling, which could result in local privilege escalation.
Discussion:
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
---
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
Via RHSA-2018:0004 https://access.
Bugzilla
CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
bugzilla·2017-01-20·CVSS 5.3
CVE-2017-2576 [MEDIUM] CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
CVE-2017-2576 CVE-2017-2578 moodle: Multiple security issues
MSA-17-0002: Incorrect sanitation of attributes in forums - CVE-2017-2576
https://moodle.org/mod/forum/discuss.php?d=345912
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225
MSA-17-0004: XSS in assignment submission page - CVE-2017-2578
https://moodle.org/mod/forum/discuss.php?d=345915
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
References:
https://moodle.org/news/#p1393111
Discussion:
Created moodle tracking bugs for this issue:
Affects: fedora-all [bug 1401064]
Affects: epel-all [bug 1401065]
Bugzilla
CVE-2015-2155 tcpdump: force printer vulnerability
bugzilla·2015-03-13·CVSS 5.0
CVE-2015-2155 [MEDIUM] CVE-2015-2155 tcpdump: force printer vulnerability
CVE-2015-2155 tcpdump: force printer vulnerability
A flaw was found in tcpdump's force printer. A remote attacker could use this flaw to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.
Upstream patch:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
Discussion:
Created tcpdump tracking bugs for this issue:
Affects: fedora-all [bug 1201799]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1871 https://access.redhat.com/errata/RHSA-2017:1871
http://www.securityfocus.com/bid/95284http://www.securitytracker.com/id/1037573https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-001http://www.securityfocus.com/bid/95284http://www.securitytracker.com/id/1037573https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-001
2017-01-10
Published