支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: a4b10534d1434a3fd64c1571b10658c5e7376639

来源
https://github.com/d0rb/CVE-2024-21388
关联漏洞
标题:Microsoft Edge 安全漏洞 (CVE-2024-21388)
Description:Microsoft Edge是美国微软(Microsoft)公司的一款Windows 10之后版本系统附带的Web浏览器。 Microsoft Edge 存在安全漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
Description
This Python script exploits a vulnerability (CVE-2024-21388) in Microsoft Edge, allowing silent installation of browser extensions with elevated privileges via a private API.
介绍
<div align="center">


 #  🇮🇱  **#BringThemHome #NeverAgainIsNow**   🇮🇱

**We demand the safe return of all citizens who have been taken hostage by the terrorist group Hamas. We will not rest until every hostage is released and returns home safely. You can help bring them back home.
https://stories.bringthemhomenow.net/**
</div>

# Microsoft Edge Vulnerability Exploit (CVE-2024-21388)

This Python script exploits a vulnerability (CVE-2024-21388) in Microsoft Edge, allowing silent installation of browser extensions with elevated privileges via a private API.

## Description
Guardio Labs discovered a vulnerability in Microsoft Edge, designated CVE-2024–21388. This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user’s knowledge. The vulnerability was promptly disclosed to Microsoft, leading to a resolution in February 2024.
https://labs.guard.io/cve-2024-21388-microsoft-edges-marketing-api-exploited-for-covert-extension-installation-879fe5ad35ca


## Exploitation Overview
The vulnerability enables anyone with a method to run JavaScript on bing.com or microsoft.com pages to install any extensions from the Edge Add-ons Store without the user’s consent or interaction. This is an "Elevation of Privilege" issue classified as Moderate in severity by the Microsoft Security Response Center (MSRC).

## Exploit Method
The script utilizes a private browser API accessible from privileged Microsoft websites to install any desired extension silently, bypassing user consent. By injecting a script into the context of a privileged website like bing.com, the exploit triggers the installation of the selected extension without user interaction.

## Usage
1. Ensure Python is installed on your system.
2. Clone the repository and navigate to the exploit script.
3. Edit the script to specify the target extension ID and manifest.
4. Execute the script using Python.

## Disclaimer
This exploit script is for educational purposes only. It should not be used for any malicious activities.
文件快照

 [4.0K]  /data/pocs/a4b10534d1434a3fd64c1571b10658c5e7376639
├── [1.6K]  PoC.py
└── [2.1K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。