Vulnerable component: Microsoft Internet Explorer
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victimтАЩs browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Latest references in media:
- April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks [2017-04-12 18:11:44]
- Microsoft fixes 45 flaws, including three actively exploited vulnerabilities [2017-04-12 15:50:19]
- Microsoft releases security patches for actively exploited critical zero-day vulnerabilities [2017-04-12 12:30:20]
- MicrosoftтАЩs New Look Patch Tuesday Fixes 46 Bugs [2017-04-12 12:00:37]
- Microsoft Patch Tuesday fixes three flaws actively exploited in attacks in the wild [2017-04-12 10:30:14]
- Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own [2017-04-12 10:30:03]
- Microsoft Patches Office, IE Flaws Exploited in Attacks [2017-04-12 09:20:22]
- Microsoft Patches Three Vulnerabilities Under Attack [2017-04-12 00:20:13]
- Microsoft kicks security bulletins to the curb in favor of security update guide [2017-04-11 21:50:09]
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.