Overview
A universal Cross-Site Scripting (uXSS) vulnerability (CVE-2021-34506) exists in Microsoft Edge’s built-in translation function.
Description
Indian researchers Vansh Devgan and Shivam Kumar Singh from CyberXplore Private Limited discovered a universal Cross-Site Scripting (uXSS) vulnerability in Microsoft Edge. Tracked as CVE-2021-34506, the vulnerability exist in the built-in translator function of the browser. The vulnerability can be triggered either manually when a user initiates the translation function or via a call made automatically to the faulty function as a result of the user’s translation setting in the web browser.
A vulnerability that allows attackers to inject malicious code into an otherwise benign website. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.
Ref: NIST SP 800-63-3 Digital Identity Guidelines
uXSS
A Universal Cross-Site Scripting (uXSS) is a type of attack that leverages client-side vulnerabilities (weaknesses in the browser itself) rather than exploiting the vulnerabilities that reside on a web page (server-side vulnerabilities).
The vulnerability arises from improper sanitization of input that allows an attacker to potentially insert malicious JavaScript code, as is the case with XSS vulnerabilities. Specifically, the translation function fails to properly handle an input of text that contains an ">img tag and not in the browser’s default language. To demonstrate a PoC exploit for the vulnerability, the researchers used the “>img src=x onerror=alert(1)> as a malicious payload. More details on the PoC can be found on the technical writeup. The following PoC video shared by the researchers also demonstrates the exploitability of the vulnerability with a foreign language YouTube comment.
The vulnerability (CVE-2021-34506) is considered to be critical as it is of uXSS type. In other words, Microsoft Edge user could fall victim of attacks due to this vulnerability, simply by visiting any web page that reflect user inputs, i.e., by opening a web page that shows user comments, such as a YouTube page or any blogging sites with comments enabled.
Impact
An adversary can inject malicious scripts on the benign web pages that reflect user inputs and as a result the adversary can get these malicious scripts to run on the client-side machines (on the users’ browsers).
Impact Summary
Category: Universal Cross-Site Scripting (uXSS)
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution (Update)
The uXSS vulnerability (CVE-2021-34506) can be remediated by updating the Microsoft Edge browsers to the patched version of 91.0.864.59. In order to update Microsoft Edge to the most current version, users should click on the three points in the upper right and simply select the following menu options: Settings > About Microsoft Edge, as depicted below.
One single vulnerability all an attacker needs.
Window Snyder
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Technical Writeup on the Vulnerability (CVE-2021-34506)
- https://nvd.nist.gov (CVE-2021-34506)
- Microsoft Security Advisory (CVE-2021-34506)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
){kind=link}