Security
Headlines
HeadlinesLatestCVEs

Tag

#Security Vulnerability

CVE-2022-0298: Chromium: CVE-2022-0298 Use after free in Scheduling

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

Microsoft Security Response Center
#vulnerability#microsoft#Microsoft Edge (Chromium-based)#Security Vulnerability
CVE-2022-0300: Chromium: CVE-2022-0300 Use after free in Text Input Method Editor

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2022-21855: Microsoft Exchange Server Remote Code Execution Vulnerability

**According to the CVSS, the attack vector is Adjacent. What does that mean and how is that different from a Network vector?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

CVE-2022-21851: Remote Desktop Client Remote Code Execution Vulnerability

**What is required to exploit this vulnerability?** An authenticated user might be tricked into connecting to a malicious remote desktop server in which the remote desktop host server sends a specially crafted PDU (Server RDP Preconnection) targeting the remote client's drive redirection virtual channel. The end result is a potential for remote code execution on the victims machine.

CVE-2022-21920: Windows Kerberos Elevation of Privilege Vulnerability

**In what way does an attacker elevate privileges?** A domain user could use this vulnerability to elevate privileges to a domain admin.

CVE-2022-21837: Microsoft SharePoint Server Remote Code Execution Vulnerability

**How could an attacker exploit the vulnerability?** An authenticated attacker with access to the domain could perform remote code execution on the Sharepoint server to elevate themselves to Sharepoint admin.

CVE-2022-21850: Remote Desktop Client Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

CVE-2022-21849: Windows IKE Extension Remote Code Execution Vulnerability

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

CVE-2022-21848: Windows IKE Extension Denial of Service Vulnerability

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.