Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
mscveMicrosoftMS:CVE-2019-1054
HistoryJun 11, 2019 - 7:00 a.m.

Microsoft Edge Security Feature Bypass Vulnerability

2019-06-1107:00:00
Microsoft
msrc.microsoft.com
16

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS

0.002

Percentile

54.8%

JSON

A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies are bypassed.

In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Alternatively, in an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass. Additionally, compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. However, in all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment.

The security update addresses the security feature bypass by correcting how Edge handles MOTW tagging.

Related

cvelist 1
nvd 1
cve 1
symantec 1
prion 1
kaspersky 1
openvas 6
nessus 6
mskb 6
talosblog 1
cvelist
cvelist
CVE-2019-1054
2019-06-12 13:49:41
nvd
nvd
CVE-2019-1054
2019-06-12 14:29:04
cve
cve
CVE-2019-1054
2019-06-12 14:29:04
symantec
symantec
Microsoft Edge CVE-2019-1054 Security Bypass Vulnerability
2019-06-11 00:00:00
prion
prion
Security feature bypass
2019-06-12 14:29:00
kaspersky
kaspersky
KLA11500 Multiple vulnerabilities in Microsoft Browsers
2019-06-11 00:00:00
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4503293)
2019-06-12 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4503279)
2019-06-12 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4503267)
2019-06-12 00:00:00
nessus
nessus
KB4503293: Windows 10 Version 1903 June 2019 Security Update
2019-06-11 00:00:00
KB4503279: Windows 10 Version 1703 June 2019 Security Update
2019-06-11 00:00:00
KB4503267: Windows 10 Version 1607 and Windows Server 2016 June 2019 Security Update
2019-06-11 00:00:00
mskb
mskb
June 11, 2019—KB4503279 (OS Build 15063.1868)
2019-06-11 07:00:00
June 11, 2019—KB4503267 (OS Build 14393.3025)
2019-06-11 07:00:00
June 11, 2019—KB4503293 (OS Build 18362.175)
2019-06-11 07:00:00
talosblog
talosblog
Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage
2019-06-11 11:42:30

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS

0.002

Percentile

54.8%

JSON
Related for MS:CVE-2019-1054
cvelist1nvd1cve1symantec1prion1kaspersky1openvas6nessus6mskb6talosblog1