CVE-2024-49054: Microsoft Edge (Chromium-based) Spoofing Vulnerability

Overview

Severity

Medium (CVSS 4.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Category

Edge - Chromium

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Nov

Released

2024-11-21

Last Updated

2024-11-22

EPSS Score

0.13% (percentile: 31.9%)

FAQ

What is the version information for this release? Microsoft Edge Version Date Released Based on Chromium Version 131.0.2903.63 11/21/2024 131.0.6778.85/.86 According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N), some loss of integrity (I:L) but have no effect on availability (A:N). What is the impact of this vulnerability An attacker could create a long URL for a download domain so that when Edge displays the entire URL the main part of the domain gets cut off. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on a specially crafted URL to be compromised by the attacker.

Affected Products (1)

Browser

• Microsoft Edge (Chromium-based)

Acknowledgments

<a href="https://www.linkedin.com/in/sazzad-mahmud-tomal-4422b0236">Sazzad Mahmud Tomal</a>, <a href="https://www.linkedin.com/in/0xsaikat">Sakil Hasan Saikat</a>

Revision History

• 2024-11-21: Information published.
• 2024-11-22: Updated CWE value. This is an informational change only.