CVE-2021-31936: Microsoft Accessibility Insights for Web Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-May

Released

2021-05-11

Last Updated

2023-10-17

EPSS Score

5.56% (percentile: 90.3%)

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could disclose web content from cross-origin frames. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user would have to visit a web page with malicious javascript and run an extension scan on the web page. According to the CVSS metric, successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? The vulnerability is in the Accessibility Insight for Web browser extension, but the impact is on the application running on the browser.

Affected Products (1)

Azure

• Microsoft Accessibility Insights for Web

Security Updates (1)

• Release Notes

Acknowledgments

Rohit Gurunath of Microsoft, Dan Bjorge of Microsoft, Dvir Shamay of Microsoft

Revision History

• 2021-05-11: Information published.
• 2021-05-25: Added acknowledgements. This is an informational change only.
• 2023-10-17: Added an FAQ. This is an information change only.