An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. To exploit the vulnerability, an attacker would have to trick a user into browsing to a specially crafted website, allowing the attacker to steal the user's token. The security update addresses the vulnerability by correcting how MSA handles cookies.
Windows HTML Platforms Security Feature Bypass Vulnerability
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Microsoft Edge for Android Information Disclosure Vulnerability
A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft browsers and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how affected Microsoft browsers handle different-origin requests.
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network.
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge for Android Spoofing Vulnerability
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
A remote code execution vulnerability exists in the way Microsoft SharePoint software parses specially crafted email messages, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.
An information disclosure vulnerability exists when Skype for Business is accessed via Internet Explorer, aka 'Skype for Business via Internet Explorer Information Disclosure Vulnerability'.
An information disclosure vulnerability exists when Skype for Business is accessed via Microsoft Edge (EdgeHTML-based), aka 'Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability'.
An information disclosure vulnerability exists in the way that affected Microsoft browsers handle cross-origin requests, aka 'Microsoft Browser Information Disclosure Vulnerability'.
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka 'Windows Graphics Component Information Disclosure Vulnerability'.
An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory, aka 'Windows Media Player Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1480.
An information disclosure vulnerability exists in Windows Media Player when it fails to properly handle objects in memory, aka 'Windows Media Player Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1481.
A security feature bypass vulnerability exists when Microsoft Browsers fail to validate the correct Security Zone of requests for specific URLs, aka 'Microsoft Browser Security Feature Bypass Vulnerability'.
Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
An information disclosure vulnerability exists where certain modes of the search function in Microsoft SharePoint Server are vulnerable to cross-site search attacks (a variant of cross-site request forgery, CSRF), aka "Microsoft SharePoint Information Disclosure Vulnerability." This affects Microsoft SharePoint.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
Windows HTML Platforms Security Feature Bypass Vulnerability
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
Protection mechanism failure in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Microsoft Edge (Chrome based) Spoofing on IE Mode
Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability
A security feature bypass vulnerability exists in Microsoft Outlook when Office fails to enforce security settings configured on a system, aka 'Microsoft Outlook Security Feature Bypass Vulnerability'.
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
An information disclosure vulnerability exists when Microsoft Edge based on Edge HTML improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site. The update addresses the vulnerability by modifying how Microsoft Edge based on Edge HTML handles objects in memory.
MapUrlToZone Security Feature Bypass Vulnerability
External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally.
NTLM Hash Disclosure Spoofing Vulnerability
Microsoft OpenSSH for Windows Remote Code Execution Vulnerability
Windows HTML Platforms Security Feature Bypass Vulnerability
Microsoft SharePoint Server Elevation of Privilege Vulnerability
External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
Microsoft Power Platform Connector Spoofing Vulnerability
Windows HTML Platforms Security Feature Bypass Vulnerability
Windows MSHTML Platform Security Feature Bypass Vulnerability
External control of file name or path in Windows Kernel allows an authorized attacker to elevate privileges locally.
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.