CVE-2011-2382

Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 beta, does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt
http://news.cnet.com/8301-1009_3-20066419-83.html
http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
http://www.informationweek.com/news/security/vulnerabilities/229700031
http://www.networkworld.com/community/node/74259
http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
http://www.youtube.com/watch?v=V95CX-3JpK0
http://www.youtube.com/watch?v=VsSkcnIFCxM
https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt
http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt
http://news.cnet.com/8301-1009_3-20066419-83.html
http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
http://www.informationweek.com/news/security/vulnerabilities/229700031
http://www.networkworld.com/community/node/74259
http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
http://www.youtube.com/watch?v=V95CX-3JpK0
http://www.youtube.com/watch?v=VsSkcnIFCxM
https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microsoft:ie:9:beta::::::
	cpe:2.3:a:microsoft:internet_explorer::::::::
	cpe:2.3:a:microsoft:internet_explorer:3.0:::::::*
	cpe:2.3:a:microsoft:internet_explorer:3.0.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:3.0.2:::::::*
	cpe:2.3:a:microsoft:internet_explorer:3.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:3.2:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.0:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.0.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.0.1:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:4.0.1:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:4.01:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.01:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:4.5:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.40.308:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.40.520:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.70.1155:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.70.1158:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.70.1215:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.70.1300:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.71.544:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.71.1008.3:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.71.1712.6:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.72.2106.8:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.72.3110.8:::::::*
	cpe:2.3:a:microsoft:internet_explorer:4.72.3612.1713:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.0:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.0.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp3::::::
	cpe:2.3:a:microsoft:internet_explorer:5.0.1:sp4::::::
	cpe:2.3:a:microsoft:internet_explorer:5.00.0518.10:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.0910.1309:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2014.0216:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2314.1003:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2516.1900:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2614.3500:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2919.800:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2919.3800:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2919.6307:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.2920.0000:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3103.1000:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3105.0106:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3314.2101:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3315.1000:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3502.1000:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.00.3700.1000:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.01:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.1:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.01:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:5.01:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:5.01:sp3::::::
	cpe:2.3:a:microsoft:internet_explorer:5.01:sp4::::::
	cpe:2.3:a:microsoft:internet_explorer:5.2.3:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.5:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.5:preview::::::
	cpe:2.3:a:microsoft:internet_explorer:5.5:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:5.5:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:5.50.3825.1300:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.50.4030.2400:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.50.4134.0100:::::::*
cpe:2.3:a:microsoft:internet_explorer:5.50.4134.0600:::::::*
cpe:2.3:a:microsoft:internet_explorer:5.50.4308.2900:::::::*
cpe:2.3:a:microsoft:internet_explorer:5.50.4522.1800:::::::*
cpe:2.3:a:microsoft:internet_explorer:5.50.4807.2300:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:sp1::::::
cpe:2.3:a:microsoft:internet_explorer:6.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.2462.0000:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.2479.0006:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.0.2600:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.2600.0000:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.0.2800:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.0.2800.1106:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.2800.1106:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.0.2900:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.0.2900.2180:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.2900.2180:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.3663.0000:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.3718.0000:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.3790.0000:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.3790.1830:::::::*
cpe:2.3:a:microsoft:internet_explorer:6.00.3790.3959:::::::*
cpe:2.3:a:microsoft:internet_explorer:7:::::::*
cpe:2.3:a:microsoft:internet_explorer:7.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:7.0:beta::::::
cpe:2.3:a:microsoft:internet_explorer:7.0:beta1::::::
cpe:2.3:a:microsoft:internet_explorer:7.0:beta2::::::
cpe:2.3:a:microsoft:internet_explorer:7.0:beta3::::::
cpe:2.3:a:microsoft:internet_explorer:7.0.5730:unknown:gold:::::*
cpe:2.3:a:microsoft:internet_explorer:7.0.5730.11:::::::*
cpe:2.3:a:microsoft:internet_explorer:7.00.5730.1100:::::::*
cpe:2.3:a:microsoft:internet_explorer:7.00.6000.16386:::::::*
cpe:2.3:a:microsoft:internet_explorer:7.00.6000.16441:::::::*

History

21 Nov 2024, 01:28

Type	Values Removed	Values Added
References	~~() http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388 -~~	() http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388 -
References	~~() http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt -~~	() http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt -
References	~~() http://news.cnet.com/8301-1009_3-20066419-83.html -~~	() http://news.cnet.com/8301-1009_3-20066419-83.html -
References	~~() http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/ -~~	() http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/ -
References	~~() http://www.informationweek.com/news/security/vulnerabilities/229700031 -~~	() http://www.informationweek.com/news/security/vulnerabilities/229700031 -
References	~~() http://www.networkworld.com/community/node/74259 -~~	() http://www.networkworld.com/community/node/74259 -
References	~~() http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/ -~~	() http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/ -
References	~~() http://www.youtube.com/watch?v=V95CX-3JpK0 -~~	() http://www.youtube.com/watch?v=V95CX-3JpK0 -
References	~~() http://www.youtube.com/watch?v=VsSkcnIFCxM -~~	() http://www.youtube.com/watch?v=VsSkcnIFCxM -
References	~~() https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt -~~	() https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt -

07 Nov 2023, 02:07

Type	Values Removed	Values Added
References	~~{'url': 'http://ju12.tistory.com/attachment/cfile4.uf@151FAB4C4DDC9E0002A6FE.ppt', 'name': 'http://ju12.tistory.com/attachment/cfile4.uf@151FAB4C4DDC9E0002A6FE.ppt', 'tags': [], 'refsource': 'MISC'}~~	() http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt -

Information

Published : 2011-06-03 17:55

Updated : 2025-04-11 00:51

NVD link : CVE-2011-2382

Mitre link : CVE-2011-2382

CVE.ORG link : CVE-2011-2382

JSON object : View

Products Affected

microsoft

ie
internet_explorer

CWE

CWE-20

Improper Input Validation

4.3 /10