Security News > 2021 > June > Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site

Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site
2021-06-28 06:08

Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website.

Tracked as CVE-2021-34506, the weakness stems from a universal cross-site scripting issue that's triggered when automatically translating web pages using the browser's built-in feature via Microsoft Translator.

"Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers said in a write-up shared with The Hacker News.

Specifically, the researchers found that the translation feature had a piece of vulnerable code that failed to sanitize input, thus allowing an attacker to potentially insert malicious JavaScript code anywhere in the webpage that's then subsequently executed when the user clicks the prompt on the address bar to translate the page.

Following responsible disclosure on June 3, Microsoft fixed the issue on June 24, in addition to awarding the researchers $20,000 as part of its bug bounty program.

The latest update to the Chromium-based browser can be downloaded by visiting Settings and more > About Microsoft Edge.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/oAPglPB5YsI/microsoft-edge-bug-couldve-let-hackers.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-01 CVE-2021-34506 Unspecified vulnerability in Microsoft Edge Chromium
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399