Security
Headlines
HeadlinesLatestCVEs

Tag

#chrome

CVE-2025-21253: Microsoft Edge for IOS and Android Spoofing Vulnerability

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 133.0.3065.51 2/6/2025 133.0.6943.53/54

Microsoft Security Response Center
Open in Source
#vulnerability#ios#android#microsoft#chrome#Microsoft Edge for iOS and Android#Security Vulnerability
CVE-2025-21279: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution?** Successful exploitation of this vulnerability requires the victim user to click a malicious link so that the attacker can initiate remote code execution on the renderer process.

CVE-2025-21267: Microsoft Edge (Chromium-based) Spoofing Vulnerability

**How could an attacker exploit this vulnerability?** To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2025-21404: Microsoft Edge (Chromium-based) Spoofing Vulnerability

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 133.0.3065.51 2/6/2025 133.0.6943.53/54

GHSA-mj4v-hp69-27x5: Plenti - Code Injection - Denial of Services

### Summary While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context. ### Details While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter. <img width="1145" alt="image" src="https://github.com/user-attachments/assets/a08a3fe5-2fbd-4a05-b93c-2ad127e6ee81" /> Last part of compileSvelte function ssrStr parameter executed in v8go engine. <img width="754" alt="image" src="https://github.com/user-attachments/assets/4e622761-3324-48d6-8264-6dd6e09055af" /> This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop ...

Ferret Malware Added to 'Contagious Interview' Campaign

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

New ValleyRAT Malware Variant Spreading via Fake Chrome Downloads

Morphisec uncovers a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods…

N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…