The version of Microsoft Edge installed on the remote Windows host is prior to 131.0.2903.48. It is, therefore, affected by multiple vulnerabilities as referenced in the November 14, 2024 advisory.

  - Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote     attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)     (CVE-2024-11110)

  - Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker     who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
    (Chromium security severity: Medium) (CVE-2024-11111)

  - Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to     potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)     (CVE-2024-11112)

  - Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had     compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium     security severity: Medium) (CVE-2024-11113)

  - Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote     attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted     HTML page. (Chromium security severity: Medium) (CVE-2024-11114)

  - Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a     remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity:
    Medium) (CVE-2024-11115)

  - Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker     who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page.
    (Chromium security severity: Medium) (CVE-2024-11116)

  - Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote     attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)     (CVE-2024-11117)

  - Microsoft Edge (Chromium-based) Information Disclosure Vulnerability (CVE-2024-49025)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Microsoft Edge (Chromium) < 131.0.2903.48 Multiple Vulnerabilities

high Nessus Plugin ID 211402

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.4 Jan 8, 2025, 10:03 AM CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 8.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv2 score source (changed from "CVE-2024-49025" to "CVE-2024-11115") CVSSv2 severity (based on CVE-2024-11115, severity increased from "Medium" to "High") CVSSv3 severity (based on None, severity increased from "Medium" to "High") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202501081003
Version 1.3 Dec 13, 2024, 12:03 PM IAVM reference Plugin Feed: 202412131203
Version 1.2 Nov 22, 2024, 6:54 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202411221854
Version 1.1 Nov 15, 2024, 3:52 PM New Plugin Feed: 202411151552