CVE Vulnerabilities

CVE-2024-21382

Permissive Cross-domain Security Policy with Untrusted Domains

Published: Jan 26, 2024 | Modified: Nov 21, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Microsoft Edge for Android Information Disclosure Vulnerability

Weakness

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Affected Software

Name Vendor Start Version End Version
Edge_chromium Microsoft * 121.0.2277.83 (excluding)

Extended Description

If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.

Potential Mitigations

References