Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
2017-02-26T23:59:00.150
2025-04-20T01:37:25.860
Deferred
CVSSv3.1: 8.1 (HIGH)
AV:N/AC:H/Au:N/C:C/I:C/A:C
4.9
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | microsoft | edge | * | Yes |
| Operating System | microsoft | windows_10_1507 | - | No |
| Operating System | microsoft | windows_10_1511 | - | No |
| Operating System | microsoft | windows_10_1607 | - | No |
| Application | microsoft | internet_explorer | 11 | Yes |
| Operating System | microsoft | windows_10_1507 | - | No |
| Operating System | microsoft | windows_10_1511 | - | No |
| Operating System | microsoft | windows_10_1607 | - | No |
| Operating System | microsoft | windows_8.1 | - | No |
| Operating System | microsoft | windows_rt_8.1 | - | No |
| Operating System | microsoft | windows_server_2012 | - | No |
| Operating System | microsoft | windows_server_2012 | r2 | No |
| Operating System | microsoft | windows_server_2016 | - | No |