Impact
Improper neutralization of user input during web page generation in Microsoft Entra ID creates a cross‑site scripting flaw that allows an authorized attacker to inject malicious content into pages rendered by Microsoft Edge (Chromium‑based). The attacker can opportunistically spoof legitimate pages over the network, potentially deceiving users or capturing sensitive data. This vulnerability is identified as CWE‑79 and can enable attackers to forge page content or masquerade as a trusted source.
Affected Systems
Microsoft Edge (Chromium‑based) users browsing pages generated by Microsoft Entra ID are vulnerable. No specific Edge version range is listed in the advisory, so any release that renders Entra ID content could be impacted. The attack requires an authenticated Entra ID user who can submit content that is subsequently reflected in the browser.
Risk and Exploitability
The CVSS score of 8.8 signals high severity, while the EPSS score of < 1% indicates a very low probability of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description it is inferred that the attack vector involves an authorized user inserting input that is then reflected into the user interface of Entra ID, which Edge renders. If exploited, the spoofing could lead to phishing, credential theft, or the injection of malicious scripts into pages viewed by other users.
OpenCVE Enrichment