Lucene search
HistoryJun 03, 2011 - 5:55 p.m.
CVE-2011-2382
CVSS2
4.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
6.3
Confidence
Low
EPSS
0.012
Percentile
85.4%
Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 beta, does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing a file: URL, as demonstrated by a Facebook game, related to a โcookiejackingโ issue.
Affected configurations
Node
microsoftieMatch9beta
ORmicrosoftinternet_explorerRangeโค8
ORmicrosoftinternet_explorerMatch3.0
ORmicrosoftinternet_explorerMatch3.0.1
ORmicrosoftinternet_explorerMatch3.0.2
ORmicrosoftinternet_explorerMatch3.1
ORmicrosoftinternet_explorerMatch3.2
ORmicrosoftinternet_explorerMatch4.0
ORmicrosoftinternet_explorerMatch4.0.1
ORmicrosoftinternet_explorerMatch4.0.1sp1
ORmicrosoftinternet_explorerMatch4.0.1sp2
ORmicrosoftinternet_explorerMatch4.01
ORmicrosoftinternet_explorerMatch4.1
ORmicrosoftinternet_explorerMatch4.01sp1
ORmicrosoftinternet_explorerMatch4.5
ORmicrosoftinternet_explorerMatch4.40.308
ORmicrosoftinternet_explorerMatch4.40.520
ORmicrosoftinternet_explorerMatch4.70.1155
ORmicrosoftinternet_explorerMatch4.70.1158
ORmicrosoftinternet_explorerMatch4.70.1215
ORmicrosoftinternet_explorerMatch4.70.1300
ORmicrosoftinternet_explorerMatch4.71.544
ORmicrosoftinternet_explorerMatch4.71.1008.3
ORmicrosoftinternet_explorerMatch4.71.1712.6
ORmicrosoftinternet_explorerMatch4.72.2106.8
ORmicrosoftinternet_explorerMatch4.72.3110.8
ORmicrosoftinternet_explorerMatch4.72.3612.1713
ORmicrosoftinternet_explorerMatch5
ORmicrosoftinternet_explorerMatch5.0
ORmicrosoftinternet_explorerMatch5.0.1
ORmicrosoftinternet_explorerMatch5.0.1sp1
ORmicrosoftinternet_explorerMatch5.0.1sp2
ORmicrosoftinternet_explorerMatch5.0.1sp3
ORmicrosoftinternet_explorerMatch5.0.1sp4
ORmicrosoftinternet_explorerMatch5.00.0518.10
ORmicrosoftinternet_explorerMatch5.00.0910.1309
ORmicrosoftinternet_explorerMatch5.00.2014.0216
ORmicrosoftinternet_explorerMatch5.00.2314.1003
ORmicrosoftinternet_explorerMatch5.00.2516.1900
ORmicrosoftinternet_explorerMatch5.00.2614.3500
ORmicrosoftinternet_explorerMatch5.00.2919.800
ORmicrosoftinternet_explorerMatch5.00.2919.3800
ORmicrosoftinternet_explorerMatch5.00.2919.6307
ORmicrosoftinternet_explorerMatch5.00.2920.0000
ORmicrosoftinternet_explorerMatch5.00.3103.1000
ORmicrosoftinternet_explorerMatch5.00.3105.0106
ORmicrosoftinternet_explorerMatch5.00.3314.2101
ORmicrosoftinternet_explorerMatch5.00.3315.1000
ORmicrosoftinternet_explorerMatch5.00.3502.1000
ORmicrosoftinternet_explorerMatch5.00.3700.1000
ORmicrosoftinternet_explorerMatch5.01
ORmicrosoftinternet_explorerMatch5.1
ORmicrosoftinternet_explorerMatch5.01sp1
ORmicrosoftinternet_explorerMatch5.01sp2
ORmicrosoftinternet_explorerMatch5.01sp3
ORmicrosoftinternet_explorerMatch5.01sp4
ORmicrosoftinternet_explorerMatch5.2.3
ORmicrosoftinternet_explorerMatch5.5
ORmicrosoftinternet_explorerMatch5.5preview
ORmicrosoftinternet_explorerMatch5.5sp1
ORmicrosoftinternet_explorerMatch5.5sp2
ORmicrosoftinternet_explorerMatch5.50.3825.1300
ORmicrosoftinternet_explorerMatch5.50.4030.2400
ORmicrosoftinternet_explorerMatch5.50.4134.0100
ORmicrosoftinternet_explorerMatch5.50.4134.0600
ORmicrosoftinternet_explorerMatch5.50.4308.2900
ORmicrosoftinternet_explorerMatch5.50.4522.1800
ORmicrosoftinternet_explorerMatch5.50.4807.2300
ORmicrosoftinternet_explorerMatch6
ORmicrosoftinternet_explorerMatch6sp1
ORmicrosoftinternet_explorerMatch6.0
ORmicrosoftinternet_explorerMatch6.00.2462.0000
ORmicrosoftinternet_explorerMatch6.00.2479.0006
ORmicrosoftinternet_explorerMatch6.0.2600
ORmicrosoftinternet_explorerMatch6.00.2600.0000
ORmicrosoftinternet_explorerMatch6.0.2800
ORmicrosoftinternet_explorerMatch6.0.2800.1106
ORmicrosoftinternet_explorerMatch6.00.2800.1106
ORmicrosoftinternet_explorerMatch6.0.2900
ORmicrosoftinternet_explorerMatch6.0.2900.2180
ORmicrosoftinternet_explorerMatch6.00.2900.2180
ORmicrosoftinternet_explorerMatch6.00.3663.0000
ORmicrosoftinternet_explorerMatch6.00.3718.0000
ORmicrosoftinternet_explorerMatch6.00.3790.0000
ORmicrosoftinternet_explorerMatch6.00.3790.1830
ORmicrosoftinternet_explorerMatch6.00.3790.3959
ORmicrosoftinternet_explorerMatch7
ORmicrosoftinternet_explorerMatch7.0
ORmicrosoftinternet_explorerMatch7.0beta
ORmicrosoftinternet_explorerMatch7.0beta1
ORmicrosoftinternet_explorerMatch7.0beta2
ORmicrosoftinternet_explorerMatch7.0beta3
ORmicrosoftinternet_explorerMatch7.0.5730unknowngold
ORmicrosoftinternet_explorerMatch7.0.5730.11
ORmicrosoftinternet_explorerMatch7.00.5730.1100
ORmicrosoftinternet_explorerMatch7.00.6000.16386
ORmicrosoftinternet_explorerMatch7.00.6000.16441
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | ie | 9 | cpe:2.3:a:microsoft:ie:9:beta:*:*:*:*:*:* |
| microsoft | internet_explorer | * | cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 3.0 | cpe:2.3:a:microsoft:internet_explorer:3.0:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 3.0.1 | cpe:2.3:a:microsoft:internet_explorer:3.0.1:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 3.0.2 | cpe:2.3:a:microsoft:internet_explorer:3.0.2:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 3.1 | cpe:2.3:a:microsoft:internet_explorer:3.1:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 3.2 | cpe:2.3:a:microsoft:internet_explorer:3.2:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 4.0 | cpe:2.3:a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 4.0.1 | cpe:2.3:a:microsoft:internet_explorer:4.0.1:*:*:*:*:*:*:* |
| microsoft | internet_explorer | 4.0.1 | cpe:2.3:a:microsoft:internet_explorer:4.0.1:sp1:*:*:*:*:*:* |
References
conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt
news.cnet.com/8301-1009_3-20066419-83.html
www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
www.informationweek.com/news/security/vulnerabilities/229700031
www.networkworld.com/community/node/74259
www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
www.youtube.com/watch?v=V95CX-3JpK0
www.youtube.com/watch?v=VsSkcnIFCxM
sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt
Related
prion
prion
Cross site scripting
2011-06-03 17:55:00
openvas
openvas
Microsoft Internet Explorer Cookie Hijacking Vulnerability
2011-06-13 00:00:00
Microsoft Internet Explorer Cookie Hijacking Vulnerability
2011-06-13 00:00:00
cvelist
cvelist
CVE-2011-2382
2011-06-03 17:00:00
cve
cve
CVE-2011-2382
2011-06-03 17:55:00
seebug
seebug
Microsoft Internet Explorer่ทจๅๆฌๅฐCookieๆไปถ่ฎฟ้ฎๅฎๅ
จ็ป่ฟๆผๆด
2011-08-10 00:00:00
nessus
nessus
CVSS2
4.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
AI Score
6.3
Confidence
Low
EPSS
0.012
Percentile
85.4%
Related for NVD:CVE-2011-2382