1. Home
  2. CVE Database
  3. CVE-2019-1054
MEDIUM · 5.0

CVE-2019-1054

A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies ar...

Vulnerability Description

A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies are bypassed. In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass. Alternatively, in an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass. Additionally, compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass. However, in all cases an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment. The security update addresses the security feature bypass by correcting how Edge handles MOTW tagging.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
MicrosoftEdge-
MicrosoftWindows 101607
MicrosoftWindows Server 2016-
MicrosoftWindows Server 2019-

References

FAQ

What is CVE-2019-1054?

CVE-2019-1054 is a vulnerability with a CVSS score of 5.0 (MEDIUM). A security feature bypass vulnerability exists in Edge that allows for bypassing Mark of the Web Tagging (MOTW). Failing to set the MOTW means that a large number of Microsoft security technologies ar...

How severe is CVE-2019-1054?

CVE-2019-1054 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-1054?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Edge, Microsoft Windows 10, Microsoft Windows Server 2016, Microsoft Windows Server 2019.