Lucene search

[email protected]CVE-2008-3843

HistoryAug 27, 2008 - 8:41 p.m.

CVE-2008-3843

2008-08-2720:41:00

CWE-79

[email protected]

web.nvd.nist.gov

asp.net

request validation

xss

cross-site scripting

cve-2008-3843

ms07-040

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.7 Medium

AI Score

Confidence

High

0.297 Low

EPSS

Percentile

97.0%

JSON

Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework with the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a “<~/” (less-than tilde slash) sequence followed by a crafted STYLE element.

Affected configurations

NVD

Node

microsoftwindows-ntMatch2003goldserver_x64

microsoftwindows-ntMatch2003sp1server

microsoftwindows-ntMatch2003sp1server_itanium

microsoftwindows-ntMatch2003sp2server

microsoftwindows-ntMatch2003sp2server_itanium

microsoftwindows-ntMatch2003sp2server_x64

microsoftwindows-ntMatch2008

microsoftwindows-ntMatchxpgoldmedia_center_2005

microsoftwindows-ntMatchxpgoldtablet_pc_2005

microsoftwindows-ntMatchxpgoldx64

microsoftwindows-ntMatchxpsp3

microsoftwindows_2000sp4

microsoftwindows_vista

microsoftwindows_vistaMatch-sp1

microsoftwindows_xpsp2

microsoftwindows_xpsp2x64

AND

microsoft.net_frameworkMatch1.0sp3

Node

microsoftwindows-ntMatch2003goldserver_x64

microsoftwindows-ntMatch2003sp1server

microsoftwindows-ntMatch2003sp1server_itanium

microsoftwindows-ntMatch2003sp2server

microsoftwindows-ntMatch2003sp2server_itanium

microsoftwindows-ntMatch2003sp2server_x64

microsoftwindows-ntMatch2008

microsoftwindows-ntMatch2008itanium

microsoftwindows-ntMatch2008x64

microsoftwindows-ntMatchvistasp1x64

microsoftwindows-ntMatchxpgoldx64

microsoftwindows-ntMatchxpsp3

microsoftwindows_2000sp4

microsoftwindows_vista

microsoftwindows_vistagoldx64

microsoftwindows_vistaMatch-sp1

microsoftwindows_xpsp2

microsoftwindows_xpsp2x64

AND

microsoft.net_frameworkMatch1.1sp1

Node

microsoftwindows-ntMatch2003goldserver_x64

microsoftwindows-ntMatch2003sp1server

microsoftwindows-ntMatch2003sp1server_itanium

microsoftwindows-ntMatch2003sp2server

microsoftwindows-ntMatch2003sp2server_itanium

microsoftwindows-ntMatch2003sp2server_x64

microsoftwindows-ntMatchxpgoldx64

microsoftwindows-ntMatchxpsp3

microsoftwindows_2000sp4

microsoftwindows_vista

microsoftwindows_vistagoldx64

microsoftwindows_xpsp2

microsoftwindows_xpsp2x64

AND

microsoft.net_frameworkMatch2.0

CPENameOperatorVersion
microsoft:.net_frameworkmicrosoft .net frameworkeq1.0

CPE	Name	Operator	Version
microsoft:.net_framework	microsoft .net framework	eq	1.0

References

securityreason.com/securityalert/4193

www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf

www.procheckup.com/Vulnerability_PR08-20.php

www.securityfocus.com/archive/1/495667/100/0/threaded

www.securityfocus.com/archive/1/496071/100/0/threaded

exchange.xforce.ibmcloud.com/vulnerabilities/44743

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.7 Medium

AI Score

Confidence

High

0.297 Low

EPSS

Percentile

97.0%

JSON

Related for CVE-2008-3843

nvd1 cvelist1 prion1 nessus1