SB2023050601 - Multiple vulnerabilities in Microsoft Edge
Published: May 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Improperly implemented security check for standard (CVE-ID: CVE-2023-2459)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
2) Input validation error (CVE-ID: CVE-2023-2460)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in Extensions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
3) Improperly implemented security check for standard (CVE-ID: CVE-2023-2462)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
4) Improperly implemented security check for standard (CVE-ID: CVE-2023-2463)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Full Screen Mode in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
5) Improperly implemented security check for standard (CVE-ID: CVE-2023-2464)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in PictureInPicture in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
6) Improperly implemented security check for standard (CVE-ID: CVE-2023-2465)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in CORS in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
7) Improperly implemented security check for standard (CVE-ID: CVE-2023-2466)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
8) Improperly implemented security check for standard (CVE-ID: CVE-2023-2467)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Prompts in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
9) Improperly implemented security check for standard (CVE-ID: CVE-2023-2468)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in PictureInPicture in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
10) Use-after-free (CVE-ID: CVE-2023-29350)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling HTML content. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
11) Security features bypass (CVE-ID: CVE-2023-29354)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly implemented security restrictions. A remote attacker can trick the victim to open a specially crafted URL and bypass Content Security Policy (CSP) and Pop-up blocker.
Remediation
Install update from vendor's website.
References
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2459
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2460
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2462
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2463
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2464
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2465
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2466
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2467
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-2468
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29350
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29354