CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2008-3358
https://notcve.org/view.php?id=CVE-2008-3358
Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el Web Dynpro (WD) en el portal SAP NetWeaver, cuando se usa con Internet Explorer v7.0.5730, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de una URI manipulada, lo que provoca que la carga XSS sea reflejada en un documento de texto plano. • http://osvdb.org/51627 http://secunia.com/advisories/33685 http://service.sap.com/sap/support/notes/1235253 http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt http://www.securityfocus.com/archive/1/500415/100/0/threaded http://www.securityfocus.com/bid/33465 http://www.securitytracker.com/id?1021638 http://www.vupen.com/english/advisories/2009/0255 https://exchange.xforce.ibmcloud.com/vulnerabilities/48237 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 6EXPL: 1CVE-2009-0072 – Microsoft Internet Explorer Javascript Denial Of Service
https://notcve.org/view.php?id=CVE-2009-0072
Microsoft Internet Explorer 6.0 through 8.0 beta2 allows remote attackers to cause a denial of service (application crash) via an onload=screen[""] attribute value in a BODY element. Microsoft Internet Explorer 6.0 hasta 8.0 beta2 permite a atacantes remotos provocar una denegación de servicio (caída de aplicación) a través del valor del atributo onload=screen[""] en un elemento "BODY". • http://skypher.com/index.php/2009/01/07/msie-screen-null-ptr-dos-details http://www.securityfocus.com/bid/33149 https://exchange.xforce.ibmcloud.com/vulnerabilities/47788 •
CVSS: 4.3EPSS: 4%CPEs: 3EXPL: 0CVE-2008-4127
https://notcve.org/view.php?id=CVE-2008-4127
Mshtml.dll in Microsoft Internet Explorer 7 Gold 7.0.5730 and 8 Beta 8.0.6001 on Windows XP SP2 allows remote attackers to cause a denial of service (failure of subsequent image rendering) via a crafted PNG file, related to an infinite loop in the CDwnTaskExec::ThreadExec function. Mshtml.dll en Microsoft Internet Explorer 7 Gold 7.0.5730 y 8 Beta 8.0.6001 en Windows XP SP2 que permite a los atacantes remotos causar una denegación de servicios (fallo en rendererizado posterior de la imagen) a través de un fichero PNG manipulado, en relación a un bucle infinito en la función CDwnTaskExec::ThreadExec. • http://securityreason.com/securityalert/4273 http://www.securityfocus.com/archive/1/496483/100/0/threaded http://www.securityfocus.com/bid/31215 https://exchange.xforce.ibmcloud.com/vulnerabilities/45225 • CWE-399: Resource Management Errors •
CVSS: 6.8EPSS: 8%CPEs: 2EXPL: 1CVE-2008-2948 – Microsoft Internet Explorer 7/8 Beta 1 - Frame Location Cross Domain Security Bypass
https://notcve.org/view.php?id=CVE-2008-2948
Cross-domain vulnerability in Microsoft Internet Explorer 7 and 8 allows remote attackers to change the location property of a frame via the Object data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. NOTE: according to Microsoft, this is a duplicate of CVE-2008-2947, possibly a different attack vector. Una vulnerabilidad de tipo cross-domain en Microsoft Internet Explorer versiones 7 y 8, permite a los atacantes remotos cambiar la propiedad de ubicación de una trama por medio del tipo de dato Object y usar una trama de un dominio diferente para observar eventos independientes del dominio, como se demuestra mediante la observación de eventos onkeydown con caballero-listener. NOTA: según Microsoft, este es un duplicado del CVE-2008-2947, posiblemente un vector de ataque diferente. • https://www.exploit-db.com/exploits/31996 http://blogs.zdnet.com/security/?p=1348 http://secunia.com/advisories/30851 http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html http://technet.microsoft.com/en-us/security/cc405107.aspx#EHD http://www.gnucitizen.org/blog/ghost-busters http://www.kb.cert.org/vuls/id/516627 http://www.vupen.com/english/advisories/2008/1941/references •
CVSS: 4.3EPSS: 77%CPEs: 2EXPL: 1CVE-2008-1545
https://notcve.org/view.php?id=CVE-2008-1545
The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 7 does not restrict the dangerous Transfer-Encoding HTTP request header, which allows remote attackers to conduct HTTP request splitting and HTTP request smuggling attacks via a POST containing a "Transfer-Encoding: chunked" header and a request body with an incorrect chunk size. El método setRequestHeader del objeto XMLHttpRequest en Microsoft Internet Explorer 7 no restringe las cabeceras de las peticiones HTTP Transfer-Encoding peligrosas, lo que permite a atacantes remotos llevar a cabo ataques de división y contrabando de peticiones HTTP mediante un POST que contiene una cabecera "Transfer-Encoding: chunked" y un contenido con un tamaño de trozo incorrecto. • http://secunia.com/advisories/29453 http://securityreason.com/securityalert/3786 http://www.mindedsecurity.com/MSA01240108.html http://www.securityfocus.com/archive/1/489960/100/0/threaded http://www.vupen.com/english/advisories/2008/0980 https://exchange.xforce.ibmcloud.com/vulnerabilities/42804 • CWE-20: Improper Input Validation •