The version of Microsoft Edge installed on the remote Windows host is prior to 124.0.2478.51. It is, therefore, affected by multiple vulnerabilities as referenced in the April 18, 2024 advisory.

  - Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability (CVE-2024-29986)

  - Microsoft Edge (Chromium-based) Information Disclosure Vulnerability (CVE-2024-29987)

  - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability (CVE-2024-29991)

  - Object corruption in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially     exploit object corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2024-3832)

  - Object corruption in WebAssembly in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to     potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-3833)

  - Use after free in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)     (CVE-2024-3834)

  - Use after free in QUIC in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: Medium) (CVE-2024-3837)

  - Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed an attacker who     convinced a user to install a malicious app to perform UI spoofing via a crafted app. (Chromium security     severity: Medium) (CVE-2024-3838)

  - Out of bounds read in Fonts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to obtain     potentially sensitive information from process memory via a crafted HTML page. (Chromium security     severity: Medium) (CVE-2024-3839)

  - Insufficient policy enforcement in Site Isolation in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-3840)

  - Insufficient data validation in Browser Switcher in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to inject scripts or HTML into a privileged page via a malicious file. (Chromium security     severity: Medium) (CVE-2024-3841)

  - Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-3843)

  - Inappropriate implementation in Extensions in Google Chrome prior to 124.0.6367.60 allowed a remote     attacker to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)     (CVE-2024-3844)

  - Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low) (CVE-2024-3845)

  - Inappropriate implementation in Prompts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
    (Chromium security severity: Low) (CVE-2024-3846)

  - Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker     to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)     (CVE-2024-3847)

  - Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially     exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2024-3914)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Microsoft Edge (Chromium) < 124.0.2478.51 Multiple Vulnerabilities

high Nessus Plugin ID 193518

Version 1.5

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.5 May 17, 2024, 10:54 AM IAVM reference Plugin Feed: 202405171054
Version 1.4 May 7, 2024, 8:36 PM Plugin metadata Plugin Feed: 202405072036
Version 1.3 May 4, 2024, 12:33 AM Detection (updated detection logic) Plugin Feed: 202405040033
Version 1.2 Apr 26, 2024, 10:16 AM IAVM reference STIG Severity (set to "I") Plugin Feed: 202404261016
Version 1.1 Apr 19, 2024, 9:35 PM CVSSv2 score source (changed from "CVE-2024-29986" to "CVE-2024-3837") CVSSv2 severity (based on CVE-2024-3837, severity increased from "Medium" to "High") CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H") CVSS metrics ("CVSSv3 score" set to 8.8) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv2 score" set to 10.0) CVE (set "CVE" coverage to "CVE-2024-3832,CVE-2024-3833,CVE-2024-3834,CVE-2024-3837,CVE-2024-3838,CVE-2024-3839,CVE-2024-3840,CVE-2024-3841,CVE-2024-3843,CVE-2024-3844,CVE-2024-3845,CVE-2024-3846,CVE-2024-3847,CVE-2024-3914,CVE-2024-29986,CVE-2024-29987,CVE-2024-29991") CVSSv3 severity (based on None, severity increased from "Medium" to "High") Plugin metadata Plugin Feed: 202404192135
Version 1.0 Apr 19, 2024, 1:37 AM New Plugin Feed: 202404190137