CVE-2017-0012
published 2017-03-17CVE-2017-0012: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing…
PriorityP425medium4.3CVSS 3.0
AVNACLPRNUIRSUCNILAN
EPSS
7.59%
93.8th percentile
Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing Vulnerability." This vulnerability is different from those described in CVE-2017-0033 and CVE-2017-0069.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft_corporation | edge | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
| msrc | internet_explorer_11_on_windows_server_2016 | — | — |
| msrc | microsoft_edge_on_windows_10_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_x64-based_systems | — | — |
CVSS provenance
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xrh4-xh5j-cjm2: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0033 [MEDIUM] CWE-20 GHSA-xrh4-xh5j-cjm2: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing
Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing Vulnerability." This vulnerability is different from those described in CVE-2017-0012 and CVE-2017-0069.
GHSA
GHSA-r538-cxj6-r3pj: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0012 [MEDIUM] CWE-20 GHSA-r538-cxj6-r3pj: Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing
Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to spoof web content via a crafted web site, aka "Microsoft Browser Spoofing Vulnerability." This vulnerability is different from those described in CVE-2017-0033 and CVE-2017-0069.
GHSA
GHSA-23g7-23q4-2x6g: Microsoft Edge allows remote attackers to spoof web content via a crafted web site, aka "Microsoft Edge Spoofing Vulnerability
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2017-0069 [MEDIUM] CWE-20 GHSA-23g7-23q4-2x6g: Microsoft Edge allows remote attackers to spoof web content via a crafted web site, aka "Microsoft Edge Spoofing Vulnerability
Microsoft Edge allows remote attackers to spoof web content via a crafted web site, aka "Microsoft Edge Spoofing Vulnerability." This vulnerability is different from those described in CVE-2017-0012 and CVE-2017-0033.
VMware
VMware VIX API VM Direct Access Function security issue
vendor_vmware·2017-07-27·CVSS 9.0
CVE-2017-4919 [CRITICAL] VMware VIX API VM Direct Access Function security issue
VMSA-2017-0012: VMware VIX API VM Direct Access Function security issue
VMware VIX API VM Direct Access Function security issue The VMware VIX API has a functionality that allows for direct access to Guests OSs which is used by VMware Site Recovery Manager, VMware Update Manager, and VMware Infrastructure Navigator to manage Guest OSs. This functionality may be used by vSphere users with limited privileges to access a Guest OS without the need to authenticate. In order for vSphere users with limited privileges to use this functionality, they would need to have all three of the following privileges: Virtual Machine -> Configuration -> Advanced Virtual Machine -> Interaction -> Guest Operating System Management by VIX API Host -> Configuration -> Advanced Settings
CVEs: CVE-2017-4919
Affec
Microsoft
Microsoft Browser Spoofing Vulnerability
vendor_msrc·2017-03-14·CVSS 4.3
CVE-2017-0012 [MEDIUM] Microsoft Browser Spoofing Vulnerability
Microsoft Browser Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft browsers do not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.
To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.
In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - March 2017
blogs_talos·2017-03-14·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - March 2017
Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.
### Bulletins Rated Critical MS17-006, MS17-007, MS17-008, MS17-009, MS17-010, MS17-011, MS17-012, MS17-013 and MS17-0
Talos
Microsoft Patch Tuesday - March 2017
blogs_talos·2017-03-14·CVSS 4.3
[MEDIUM] Microsoft Patch Tuesday - March 2017
## Microsoft Patch Tuesday - March 2017
Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.
## Bulletins Rated Critical MS17-006, MS17-007, MS17-008, MS17-009, MS17-010,
Bugzilla
CVE-2017-7489 CVE-2017-7490 CVE-2017-7491 moodle: Multiple security vulnerabilities
bugzilla·2017-05-17·CVSS 6.3
CVE-2017-7489 [MEDIUM] CVE-2017-7489 CVE-2017-7490 CVE-2017-7491 moodle: Multiple security vulnerabilities
CVE-2017-7489 CVE-2017-7490 CVE-2017-7491 moodle: Multiple security vulnerabilities
Multiple security issues were fixed in the latest moodle release.
MSA-17-0010 External blog editing takeover
MSA-17-0011 Searching of blogs possible without capability to do it
MSA-17-0012 CSRF in number of courses displayed in the course overview block
MSA-17-0013 Missing permission check when adding forum post attachments in Web Services
References:
https://moodle.org/mod/forum/discuss.php?d=351987
Discussion:
Created moodle tracking bugs for this issue:
Affects: epel-6 [bug 1451670]
Affects: epel-7 [bug 1451672]
Affects: fedora-all [bug 1451671]
http://www.securityfocus.com/bid/96085http://www.securitytracker.com/id/1038006https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0012http://www.securityfocus.com/bid/96085http://www.securitytracker.com/id/1038006https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0012
2017-03-17
Published