CVE-2021-34506

2022-11-25T16:20:57

Description

This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

{"id": "CVE-2021-34506", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-34506", "description": "This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.", "published": "2022-11-25T16:20:57", "modified": "2022-11-25T16:20:57", "cvss": {}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "candidate", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-11-25T16:20:57", "viewCount": 6, "enchantments": {"score": {"value": 1.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B5C7AB6D-DC1F-4CAB-BEEF-B5E3D1372C18"]}, {"type": "kaspersky", "idList": ["KLA12212"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34506"]}, {"type": "nessus", "idList": ["MICROSOFT_EDGE_CHROMIUM_91_0_864_59.NASL"]}, {"type": "thn", "idList": ["THN:64DBC123B883AF07B01C89E0330CCE81"]}, {"type": "threatpost", "idList": ["THREATPOST:1EFDBB99BE335E76B04D9A3CC0BA6875"]}]}, "vulnersScore": 1.5}, "_state": {"score": 1669393386, "dependencies": 1669393304}, "_internal": {"score_hash": "fe0a5916b86de729794958b4c7464aaf"}, "cna_cvss": {}, "cpe": [], "cpe23": [], "cwe": [], "affectedSoftware": [], "affectedConfiguration": [], "cpeConfiguration": {}, "extraReferences": []}

{"thn": [{"lastseen": "2022-05-09T12:37:54", "description": "[![](https://thehackernews.com/images/-q78vTtYWq7g/YNnCrYghY7I/AAAAAAAADBM/iaXoJiOj51wasI5ua0wsbJlDS8AylHMWwCLcBGAsYHQ/s0/IE.jpg)](<https://thehackernews.com/images/-q78vTtYWq7g/YNnCrYghY7I/AAAAAAAADBM/iaXoJiOj51wasI5ua0wsbJlDS8AylHMWwCLcBGAsYHQ/s0/IE.jpg>)\n\nMicrosoft last week rolled out updates for the Edge browser with [fixes for two security issues](<https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security>), one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website.\n\nTracked as [CVE-2021-34506](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34506>) (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that's triggered when automatically translating web pages using the browser's [built-in feature via Microsoft Translator](<https://support.microsoft.com/en-us/topic/use-microsoft-translator-in-microsoft-edge-browser-4ad1c6cb-01a4-4227-be9d-a81e127fcb0b>).\n\nCredited for discovering and reporting CVE-2021-34506 are Ignacio Laurence as well as Vansh Devgan and Shivam Kumar Singh with CyberXplore Private Limited. \n\n\"Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code,\" CyberXplore researchers [said](<https://cyberxplore.medium.com/how-we-are-able-to-hack-any-company-by-sending-message-including-facebook-google-microsoft-b7773626e447>) in a write-up shared with The Hacker News.\n\n\"When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.\"\n\nSpecifically, the researchers found that the translation feature had a piece of vulnerable code that failed to sanitize input, thus allowing an attacker to potentially insert malicious JavaScript code anywhere in the webpage that's then subsequently executed when the user clicks the prompt on the address bar to translate the page.\n\nAs a proof-of-concept (PoC) exploit, the researchers demonstrated it was possible to trigger the attack simply by adding a comment to a YouTube video, which is written in a language other than English, along with an XSS payload.\n\nIn a similar vein, a friend request from a Facebook profile containing other language content and the XSS payload was found to execute the code as soon as the recipient of the request checked out the user's profile.\n\nFollowing responsible disclosure on June 3, Microsoft fixed the issue on June 24, in addition to awarding the researchers $20,000 as part of its bug bounty program.\n\nThe latest update (version 91.0.864.59) to the Chromium-based browser can be downloaded by visiting Settings and more > About Microsoft Edge (edge://settings/help).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-06-28T13:08:00", "type": "thn", "title": "Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34506"], "modified": "2021-06-28T13:08:38", "id": "THN:64DBC123B883AF07B01C89E0330CCE81", "href": "https://thehackernews.com/2021/06/microsoft-edge-bug-couldve-let-hackers.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2021-07-20T20:09:15", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at June 24, 2021 7:26pm UTC reported:\n\nMicrosoft Edge contains a security feature bypass vulnerability, and a PoC exploit hasn\u2019t been publicly disclosed at this time.\n\nSource:<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34506>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2021-06-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-34506", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34506"], "modified": "2021-06-09T00:00:00", "id": "AKB:B5C7AB6D-DC1F-4CAB-BEEF-B5E3D1372C18", "href": "https://attackerkb.com/topics/xTx8v4kxSk/cve-2021-34506", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2022-11-03T12:19:06", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.", "cvss3": {}, "published": "2021-06-24T07:00:00", "type": "mscve", "title": "Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {}, "cvelist": ["CVE-2021-34506"], "modified": "2021-09-21T07:00:00", "id": "MS:CVE-2021-34506", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34506", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2021-06-29T22:45:49", "description": "Microsoft patched two bugs in its [Chromium-based](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) Edge browser last week, one of which could be used by an attacker to bypass security and to remotely inject and execute arbitrary code on any website just by sending a message.\n\nThat security-bypassing bug, [CVE-2021-34506](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34506>), is rated CVSS 5.4, or important. Its complexity is low, and an attacker could pull it off without needing any privileges, Microsoft said when it released the fixes on Thursday. An exploit would require user interaction, though.\n\nMicrosoft said there are no known exploits, however researchers have published a working proof-of-concept attack.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe flaw stems from a universal cross-site scripting (UXSS) issue that\u2019s triggered when automatically translating web pages using the Edge browser\u2019s [built-in Microsoft Translator](<https://support.microsoft.com/en-us/topic/use-microsoft-translator-in-microsoft-edge-browser-4ad1c6cb-01a4-4227-be9d-a81e127fcb0b>) feature: a feature through which the browser automatically prompts users to translate a webpage when the page is in a language other than those listed under the user\u2019s preferred languages in settings.\n\nAs explained by the analysts who found and reported the bug, an UXSS is unlike your more run-of-the-mill XSS attacks in that it \u201cexploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition\u201d and to execute malicious code. \u201cWhen such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,\u201d they said in a [posting](<https://cyberxplore.medium.com/how-we-are-able-to-hack-any-company-by-sending-message-including-facebook-google-microsoft-b7773626e447>) earlier this month.\n\nResearchers credited for the bug\u2019s discovery are Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh, with CyberXplore Private Limited.\n\n## \u2018What\u2019s Up With This \u043f\u0435\u0440\u0435\u0432\u043e\u0434?\u2019\n\nResearchers found the vulnerability on the mail[.]ru subdomain. [HackerOne](<https://threatpost.com/hackerone-breach-20000-bounty-reward/150846/>) offers bounties of up to $40,000 for critical issues found on mail[.]ru sites.\n\nGiven that Chrome doesn\u2019t run automatic translation of pages from different languages, the bug hunters are in the habit of using Firefox with the penetration-testing platform [Burp Suite](<https://threatpost.com/bug-bounty-faq/159569/>) to \u201cplay with web applications,\u201d they said.\n\nAs they were poking around, looking for vulnerabilities on a mail[.]ru subdomain, they came across a number of issues as the Firefox browser tried to translate.\n\nA hunt for a Firefox translation extension that could help translate the page into English turned up zip. In fact, many extensions get removed because they contain vulnerable code, the analysts said. Well, that got them thinking: How can a vulnerable extension affect browser users?\n\nThe answer: a lot. One example: 18 months ago, researchers found [500 malicious Chrome extensions](<https://threatpost.com/500-malicious-chrome-extensions-millions/152918/>) secretly collecting users\u2019 browser data and redirecting them to malware-laced websites. Those bad extensions were downloaded millions of times from Google\u2019s Chrome Web Store before they got sniffed out and yanked.\n\nIt occurred to the analysts that extensions have \u201cuniversal access to any site\u201d on a browser. \u201cLike, if you are on facebook.com, [your browser] can access [the] complete DOM [Document Object Model, an interface to web pages] of that page,\u201d they wrote, including cookies or \u201canything\u201d that\u2019s \u201cpossible with javascript.\u201d That\u2019s when the trio set out to find a flaw in the mail[.]ru subdomain using Microsoft\u2019s Edge browser.\n\nWhy pick on Microsoft Edge? It\u2019s like why crooks rob banks: Because that\u2019s where the money is.\n\n> \u201cIt Has An [sic] Bounty Program\u201d \n\u2014CyberXplore Private Limited analysts\n\nFirst, they decided to try to translate the mail[.]ru website in Microsoft Edge and to test it one last time, given that Edge had a newly updated Translator By Microsoft feature. When the analysts returned to the mail.ru site, that\u2019s when the ka-chings started sounding. It was, in fact, \u201cfilled with XSS Payloads,\u201d they wrote. \u201cWe found out that as soon as we translated [the] page we got so many popups on Microsoft Edge it looked strange,\u201d they explained, so they flipped back over to Google\u2019s Chrome browser. \u201cThis time no popup!\u201d they said.\n\nA little digging turned up vulnerable code in the new Microsoft Edge translator that \u201ctakes any html tags having an \u2018>img\u2019 tag without sanitising [sic] the input or converting the payload into text while translating,\u201d the analysts described. In other words, the internal translator was taking the \u201c>img src=x onerror=alert(1)>\u201d payload and executing it as javascript without proper validation.\n\nSpecifically, they think that the bug is in the \u201cstartPageTranslation\u201d code snippet.\n\n## PoC: Just a Facebook Comment & a Dab of XSS Payload\n\nIn the proof-of-concept (PoC) shown below on Facebook, the researchers demonstrated how to trigger the attack simply by adding a comment to a Facebook video that\u2019s written in a language other than English, along with an XSS payload.\n\nWindows Store applications, such as Instagram, are also vulnerable to the attack, they added, given that the Windows Store uses the same Microsoft Edge Translator that can trigger this UXSS attack.\n\nDirk Schrader, global vice president at New Net Technologies, told Threatpost on Tuesday that vulnerabilities that exploit XSS are often prevalent because \u201cthey are difficult and time-consuming to test for automatically.\u201d\n\nIn order to mitigate such bugs, secure coding techniques \u201cat source\u201d are \u201cultra-critical,\u201d Schrader said. Sound basic? Yes indeed: That\u2019s because the basics \u201cleave most organizations at risk,\u201d he said. Maybe these bugs are tough to fix and suck up time, but they\u2019re worth the effort, he added: \u201cCore security controls such as vulnerability management, patching and configuration hardening are still going to give the best return for protection vs. effort.\u201d\n\nThe analysts reported their findings on June 3. They were awarded a $20,000 bounty on June 17, and Microsoft issued a patch last week, on Thursday.\n\n062921 13:36: Corrected an incorrect reference to what the PoC shows: It is, in fact, a Facebook takeover that the analysts featured in their video. Also added input from Dirk Schrader.\n\n**Join Threatpost for \u201c**[**Tips and Tactics for Better Threat Hunting**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**\u201d \u2014 a LIVE event on **[**Wed., June 30 at 2:00 PM ET**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. **[**Register HERE**](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-06-29T16:34:21", "type": "threatpost", "title": "Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34506"], "modified": "2021-06-29T16:34:21", "id": "THREATPOST:1EFDBB99BE335E76B04D9A3CC0BA6875", "href": "https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-11T14:50:35", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 91.0.864.59. It is, therefore, affected by multiple vulnerabilities as referenced in the June 24, 2021 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-25T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 91.0.864.59 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-34475", "CVE-2021-34506"], "modified": "2021-06-25T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_91_0_864_59.NASL", "href": "https://www.tenable.com/plugins/nessus/150999", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150999);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/25\");\n\n script_cve_id(\"CVE-2021-34475\", \"CVE-2021-34506\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 91.0.864.59 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 91.0.864.59. It is, therefore, affected\nby multiple vulnerabilities as referenced in the June 24, 2021 advisory. Note that Nessus has not tested for this issue\nbut has instead relied only on the application's self-reported version number.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#june-24-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fcf1608e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34475\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34506\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 91.0.864.59 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34506\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/06/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '91.0.864.59' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2021-12-22T23:17:26", "description": "### *Detect date*:\n06/24/2021\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34475](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34475>) \n[CVE-2021-34506](<https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2021-34506>) \n\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *Microsoft official advisories*:", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "kaspersky", "title": "KLA12212 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34475", "CVE-2021-34506"], "modified": "2021-07-08T00:00:00", "id": "KLA12212", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12212/", "cvss": {"score": 0.0, "vector": "NONE"}}]}