Microsoft has released a security update for Microsoft Edge that fixes two issues. Exploitation of one of the vulnerabilities could allow to inject and execute arbitrary code in the context of any website.

The issue (CVE-2021-34506) is a universal cross-site scripting (UXSS) vulnerability related to the automatic translation of web pages using the browser's built-in feature via Microsoft Translator.

"Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore experts explained.

The translation feature contains a piece of vulnerable code that failed to sanitize input, thus allowing an attacker to potentially insert malicious JavaScript code anywhere in the webpage. The code will be executed when the user clicks on a notification that prompts them to translate the page into another language.

Experts reported the problem to Microsoft, and the tech giant fixed the vulnerability in browser version 91.0.864.59.

Source: securitylab.ru