CVSS: 6.8EPSS: 95%CPEs: 3EXPL: 1CVE-2008-2947
https://notcve.org/view.php?id=CVE-2008-2947
Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 7 allows remote attackers to access restricted information from other domains via JavaScript that uses the Object data type for the value of a (1) location or (2) location.href property, related to incorrect determination of the origin of web script, aka "Window Location Property Cross-Domain Vulnerability." NOTE: according to Microsoft, CVE-2008-2948 and CVE-2008-2949 are duplicates of this issue, probably different attack vectors. Vulnerabilidad de dominios cruzados en Microsoft Internet Explorer 6 permite a atacantes remotos acceder a información restringida de otros dominios a través de JavaScript que utiliza tipos de datos Object para el valor de una propiedad (1) location o (2) location.href. • http://blogs.zdnet.com/security/?p=1348 http://marc.info/?l=bugtraq&m=122479227205998&w=2 http://secunia.com/advisories/30857 http://www.kb.cert.org/vuls/id/923508 http://www.ph4nt0m.org-a.googlepages.com/PSTZine_0x02_0x04.txt http://www.securityfocus.com/bid/29960 http://www.securitytracker.com/id?1020382 http://www.us-cert.gov/cas/techalerts/TA08-288A.html http://www.vupen.com/english/advisories/2008/1940/references http://www.vupen.com/english/advisories/ • CWE-284: Improper Access Control •
CVSS: 9.3EPSS: 68%CPEs: 2EXPL: 0CVE-2008-1442 – Microsoft Internet Explorer DOM Object substringData() Heap Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2008-1442
Heap-based buffer overflow in the substringData method in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code, related to an unspecified manipulation of a DOM object before a call to this method, aka the "HTML Objects Memory Corruption Vulnerability." Desbordamiento de búfer basado en montículo en el método substringData en Microsoft Internet Explorer 6 y 7 permite a atacantes remotos ejecutar código de su elección a través de, lo que esta relacionado con un manipulación no específica de un objeto DOM antes de una llamada a este método, también conocida como "Vulnerabilidad de corrupción de memoria por objetos HTML" This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of various Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the substringData() method when called on a DOM object that has been manipulated in a special way. The attack results in an exploitable heap buffer allowing for code execution under the context of the current user. • http://marc.info/?l=bugtraq&m=121380194923597&w=2 http://secunia.com/advisories/30575 http://securityreason.com/securityalert/3934 http://securitytracker.com/id?1020225 http://www.securityfocus.com/archive/1/493253/100/0/threaded http://www.securityfocus.com/bid/29556 http://www.us-cert.gov/cas/techalerts/TA08-162B.html http://www.vupen.com/english/advisories/2008/1778 http://www.zerodayinitiative.com/advisories/ZDI-08-039 https://docs.microsoft.com/en-us/security-updates&#x • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 95%CPEs: 3EXPL: 2CVE-2008-2281 – Microsoft Internet Explorer - Print Table of Links Cross-Zone Scripting
https://notcve.org/view.php?id=CVE-2008-2281
Cross-zone scripting vulnerability in the Print Table of Links feature in Internet Explorer 6.0, 7.0, and 8.0b allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via an HTML document with a link containing JavaScript sequences, which are evaluated by a resource script when a user prints this document. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la característica Print Table of Links de Internet Explorer 6.0, 7.0 y 8.0b permite a atacantes remotos asistidos por el usuario inyectar secuencias de comandos web o HTML en la Zona de Máquina Local mediante un documento HTML con un enlace que contiene secuencias JavaScript, que se evalúan por un script de recurso cuando un usuario imprime el documento. • https://www.exploit-db.com/exploits/5619 http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx http://secunia.com/advisories/30141 http://www.securityfocus.com/bid/29217 http://www.vupen.com/english/advisories/2008/1529/references https://exchange.xforce.ibmcloud.com/vulnerabilities/42416 •
CVSS: 9.3EPSS: 28%CPEs: 25EXPL: 0CVE-2007-6255
https://notcve.org/view.php?id=CVE-2007-6255
Buffer overflow in the Microsoft HeartbeatCtl ActiveX control in HRTBEAT.OCX allows remote attackers to execute arbitrary code via the Host argument to an unspecified method. Desbordamiento de búfer en el control ActiveX Microsoft HeartbeatCtl en HRTBEAT.OCX permite a atacantes remotos ejecutar código de su elección a través del argumento Host en un método no especificado. • http://osvdb.org/44652 http://www.kb.cert.org/vuls/id/570089 http://www.securityfocus.com/bid/28882 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-069 https://exchange.xforce.ibmcloud.com/vulnerabilities/41940 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 67%CPEs: 24EXPL: 0CVE-2008-1085
https://notcve.org/view.php?id=CVE-2008-1085
Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 through SP1, and 7 allows remote attackers to execute arbitrary code via a crafted data stream that triggers memory corruption, as demonstrated using an invalid MIME-type that does not have a registered handler. Vulnerabilidad de uso después de la liberación en Microsoft Internet Explorer 5.01 SP4, 6 hasta SP1, y 7, permite a atacantes remotos ejecutar código de su elección a través de una cadena de datos manipulada que provoca una corrupción de memoria, tal como se ha demostrado utilizando un MIME-type no válido que no contenía un manejador registrado. • http://marc.info/?l=bugtraq&m=120845064910729&w=2 http://secunia.com/advisories/27707 http://secunia.com/secunia_research/2007-100/advisory http://www.securityfocus.com/archive/1/490840/100/0/threaded http://www.securityfocus.com/bid/28552 http://www.securitytracker.com/id?1019801 http://www.us-cert.gov/cas/techalerts/TA08-099A.html http://www.vupen.com/english/advisories/2008/1148/references https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-024 • CWE-94: Improper Control of Generation of Code ('Code Injection') •