Information disclosure in Microsoft Edge
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-38222 |
| CWE-ID | CWE-276 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Microsoft Edge Client/Desktop applications / Web browsers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Incorrect default permissions
EUVDB-ID: #VU97174
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-38222
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in Edge WebUI permission implementation. A remote attacker can trick a victim into visiting a specially crafted website and gain access to sensitive information by manipulating granted permissions, such as access to camera and microphone.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 127.0.2651.105
CPE2.3- cpe:2.3:a:microsoft:edge:127.0.2651.105:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:126.0.2592.137:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:125.0.2535.92:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:124.0.2478.131:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:123.0.2420.97:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:122.0.2365.120:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:120.0.2336.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:121.0.2277.128:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:119.0.2151.97:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:118.0.2088.122:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:117.0.2045.60:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:116.0.1938.98:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:109.0.1518.140:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:115.0.1901.203:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:114.0.1901.183:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:113.0.1774.57:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:112.0.1722.84:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:111.0.1661.62:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:110.0.1587.78:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:108.0.1462.95:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:106.0.1370.86:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:107.0.1418.62:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:105.0.1343.53:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:104.0.1293.91:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:103.0.1264.77:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:102.0.1245.62:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:101.0.1210.53:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.60:*:*:*:*:*:*:*
http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38222
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
