CVE-2017-11863
published 2017-11-15CVE-2017-11863: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick a user…
PriorityP428medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
3.49%
87.7th percentile
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick a user into loading a page containing malicious content, due to how the Edge Content Security Policy (CSP) validates documents, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11872 and CVE-2017-11874.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft_corporation | microsoft_edge | — | — |
| msrc | microsoft_edge_on_windows_10_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1703_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1703_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | microsoft_edge_on_windows_server_2016 | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5qcr-3r6j-g5fp: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick
ghsa_unreviewed·2022-05-17·CVSS 6.5
CVE-2017-11863 [MEDIUM] CWE-20 GHSA-5qcr-3r6j-g5fp: Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick a user into loading a page containing malicious content, due to how the Edge Content Security Policy (CSP) validates documents, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11872 and CVE-2017-11874.
GHSA
GHSA-mpq3-wcg8-72j4: Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore allows an attacker to bypass Control Flow Guard (CFG)
ghsa_unreviewed·2022-05-13·CVSS 6.1
CVE-2017-11874 [MEDIUM] GHSA-mpq3-wcg8-72j4: Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore allows an attacker to bypass Control Flow Guard (CFG)
Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, version 1709, and ChakraCore allows an attacker to bypass Control Flow Guard (CFG) to run arbitrary code on a target system, due to how Microsoft Edge handles accessing memory in code compiled by the Edge Just-In-Time (JIT) compiler, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11863 and CVE-2017-11872.
GHSA
GHSA-7v23-c6x7-x7h2: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to force the browser to send data that would otherwise b
ghsa_unreviewed·2022-05-13·CVSS 6.1
CVE-2017-11872 [MEDIUM] GHSA-7v23-c6x7-x7h2: Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to force the browser to send data that would otherwise b
Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server 2016 allows an attacker to force the browser to send data that would otherwise be restricted to a destination website of the attacker's choice, due to how Microsoft Edge handles redirect requests, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11863 and CVE-2017-11874.
Microsoft
Microsoft Edge Security Feature Bypass Vulnerability
vendor_msrc·2017-11-14·CVSS 4.2
CVE-2017-11863 [MEDIUM] Microsoft Edge Security Feature Bypass Vulnerability
Microsoft Edge Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents. An attacker who exploited the bypass could trick a user into loading a page containing malicious content.
To exploit the bypass, an attacker must trick a user into either loading a page containing malicious content or visiting a malicious website. The attacker could also inject the malicious page into either a compromised website or an advertisement network.
The security update addresses the bypass by correcting how the Edge CSP validates documents.
Microsoft Edge: Microsoft Edge
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:No;Ex
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/101748http://www.securitytracker.com/id/1039801https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11863http://www.securityfocus.com/bid/101748http://www.securitytracker.com/id/1039801https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11863
2017-11-15
Published