CVE-2008-2949

Current Description

Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to change the location property of a frame via the String data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. NOTE: according to Microsoft, this is a duplicate of CVE-2008-2947, possibly a different attack vector.

Referenced by CVEs:CVE-2008-2947

Basic Data

PublishedJune 30, 2008
Last ModifiedMarch 08, 2011
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegetrue

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMicrosoftIe6*******
    2.3ApplicationMicrosoftIe7*******

Vulnerable Software List

VendorProductVersions
Microsoft Ie 6, 7

References

NameSourceURLTags
http://blogs.zdnet.com/security/?p=1348http://blogs.zdnet.com/security/?p=1348MISC
http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.htmlhttp://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.htmlMISC
http://technet.microsoft.com/en-us/security/cc405107.aspx#EHDhttp://technet.microsoft.com/en-us/security/cc405107.aspx#EHDMISC
VU#516627http://www.kb.cert.org/vuls/id/516627CERT-VNUS Government Resource
ADV-2008-1941http://www.vupen.com/english/advisories/2008/1941/referencesVUPEN