CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
69.6%
Security researchers David Huang and Collin Jackson of Carnegie Mellon University CyLab (Silicon Valley campus) reported that the type attribute of an tag can override the charset of a framed HTML document, even when the document is included across origins. A page could be constructed containing such an tag which sets the charset of the framed document to UTF-7. This could potentially allow an attacker to inject UTF-7 encoded JavaScript into a site, bypassing the site’s XSS filters, and then executing the code using the above technique.