CVE-2024-21388

MEDIUM

Microsoft Edge Chromium < 121.0.2277.83 - Elevation of Privilege

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21388. PoCs published by d0rb.

AI-analyzed exploit summary The repository contains a functional Python script that exploits CVE-2024-21388 in Microsoft Edge by injecting JavaScript to silently install browser extensions via a private API. The exploit leverages the `chrome.edgeMarketingPagePrivate.installTheme` function to bypass user consent.

Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Exploits (1)

nomisec WORKING POC 6 stars

by d0rb · poc

https://github.com/d0rb/CVE-2024-21388

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2024-21388 in Microsoft Edge by injecting JavaScript to silently install browser extensions via a private API. The exploit leverages the `chrome.edgeMarketingPagePrivate.installTheme` function to bypass user consent.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Edge (versions affected by CVE-2024-21388)

No auth needed

Prerequisites: Ability to execute JavaScript on bing.com or microsoft.com · Valid extension ID from the Edge Add-ons Store

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21388

Scores

CVSS v3 6.5

EPSS 0.3195

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (1)

microsoft/edge_chromium < 121.0.2277.83

Published Jan 30, 2024

Tracked Since Feb 18, 2026