Medium severity6.1NVD Advisory· Published Dec 20, 2016· Updated May 6, 2026

CVE-2016-7282

Description

Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Microsoft Browser Information Disclosure Vulnerability."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An information disclosure XSS in Internet Explorer 9-11 and Edge allows remote attackers to inject arbitrary web script via unspecified vectors.

Vulnerability

CVE-2016-7282 is a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 and Microsoft Edge. The flaw exists due to improper handling of objects in memory, allowing arbitrary web script or HTML injection through unspecified vectors. The vulnerability is addressed in MS16-144 [1] for Internet Explorer and MS16-145 [2] for Microsoft Edge.

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted webpage that, when viewed by a user in an affected browser, triggers the XSS condition. No further user interaction beyond visiting the page is required. The attacker does not need any special network position beyond being able to serve content to the victim.

Impact

Successful exploitation leads to information disclosure, as the injected script can access browser data and potentially leak sensitive information. The attacker gains the ability to execute arbitrary web script or HTML in the context of the victim's browser session, but the vulnerability does not result in remote code execution or system compromise on its own.

Mitigation

Microsoft released security updates in December 2016 as part of MS16-144 [1] and MS16-145 [2], which correct the underlying handling issues. Users should apply the cumulative updates KB3204059 (Internet Explorer) and KB3204062 (Microsoft Edge) to protect affected systems.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Microsoft/Edge2 versions
cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
- (no CPE)
Microsoft/Internet Explorer4 versions
cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
- (no CPE)range: 9-11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/94724nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1037444nvdThird Party AdvisoryVDB Entry
docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-144nvd
docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-145nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000