CVE-2019-0678 — Incorrect Authorization in Microsoft Edge

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

6.0%

top 9.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Edge

Timeline

PublishedApr 9

Latest updateMay 13

Description

An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages1 packages

▶CVEListV5microsoft/microsoft_edge15 versions+14

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-hvvr-3hp7-3wj6: An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to a↗2022-05-13

▶

CVEList

CVE-2019-0678: An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to a↗2019-04-08

▶

📋Vendor Advisories

Microsoft

Microsoft Edge Elevation of Privilege Vulnerability↗2019-03-12

▶