{"containers":{"cna":{"title":"Microsoft Edge Security Feature Bypass Vulnerability","datePublic":"2019-06-11T07:00:00.000Z","cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0..0","versionEndExcluding":"publication"}]}]}],"affected":[{"vendor":"Microsoft","product":"Microsoft Edge (EdgeHTML-based)","platforms":["Windows 10 Version 1703 for 32-bit Systems","Windows 10 Version 1703 for x64-based Systems","Windows 10 Version 1803 for 32-bit Systems","Windows 10 Version 1803 for x64-based Systems","Windows 10 Version 1803 for ARM64-based Systems","Windows 10 Version 1809 for 32-bit Systems","Windows 10 Version 1809 for x64-based Systems","Windows 10 Version 1809 for ARM64-based Systems","Windows Server 2019","Windows 10 Version 1709 for 32-bit Systems","Windows 10 Version 1709 for x64-based Systems","Windows 10 Version 1709 for ARM64-based Systems","Windows 10 Version 1903 for 32-bit Systems","Windows 10 Version 1903 for x64-based Systems","Windows 10 Version 1903 for ARM64-based Systems","Windows 10 Version 1607 for 32-bit Systems","Windows 10 Version 1607 for x64-based Systems","Windows Server 2016"],"versions":[{"version":"1.0..0","lessThan":"publication","versionType":"custom","status":"affected"}]}],"descriptions":[{"value":"A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies are bypassed.\nIn a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Alternatively, in an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass. Additionally, compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. However, in all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment.\nThe security update addresses the security feature bypass by correcting how Edge handles MOTW tagging.","lang":"en-US"}],"problemTypes":[{"descriptions":[{"description":"Security Feature Bypass","lang":"en-US","type":"Impact"}]}],"providerMetadata":{"orgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","shortName":"microsoft","dateUpdated":"2025-05-20T17:49:50.237Z"},"references":[{"name":"Microsoft Edge Security Feature Bypass Vulnerability","tags":["vendor-advisory"],"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1054"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","baseSeverity":"MEDIUM","baseScore":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T18:06:31.457Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1054"}]}]},"cveMetadata":{"assignerOrgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","assignerShortName":"microsoft","cveId":"CVE-2019-1054","datePublished":"2019-06-12T13:49:41.000Z","dateReserved":"2018-11-26T00:00:00.000Z","dateUpdated":"2025-05-20T17:49:50.237Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}