CVE-2019-1192

EUVD-2019-9763

14.08.2019, 21:15

A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how affected Microsoft browsers handle different-origin requests.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
microsoft	CNA	4.3 MEDIUM				CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Affected Products (NVD)

Vendor	Product	Version
microsoft	edge	-

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

(x64, x86)	KB4520011
1607 (x64, x86)	KB4519998
1703 (x64, x86)	KB4520010
1709 (arm64, x64, x86)	KB4520004
1803 (arm64, x64, x86)	KB4520008
1809 (arm64, x64, x86)	KB4519338
1903 (arm64, x64, x86)	KB4517389

Windows 7

Service Pack 1 (x64, x86)	KB4519974
Service Pack 1 (x64, x86)	KB4519976

Windows 8.1

(x64, x86)	KB4519974
(x64, x86)	KB4520005

Windows RT 8.1

All

KB4520005

Windows Server 2008 R2

Service Pack 1 (x64)	KB4519974
Service Pack 1 (x64)	KB4519976

Windows Server 2012

Standard	KB4520007
Standard	KB4519974

Windows Server 2012 R2

Standard	KB4519974
Standard	KB4520005

Windows Server 2016

Standard

KB4519998

Windows Server 2019

Standard

KB4519338

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1192