CVE-2008-5554

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The XSS Filter in Microsoft Internet Explorer 8.0 Beta 2 does not properly handle some HTTP headers that appear after a CRLF sequence in a URI, which allows remote attackers to bypass the XSS protection mechanism and conduct XSS or redirection attacks, as demonstrated by the (1) Location and (2) Set-Cookie HTTP headers. NOTE: the vendor has reportedly stated that the XSS Filter intentionally does not attempt to "address every conceivable XSS attack scenario."

El filtro XSS (ejecución de secuencias de comandos en sitios cruzados) en Microsoft Internet Explorer 8.0 Beta 2 no gestiona de manera apropiada algunas cabeceras HTTP que aparecen después de una secuencia CRLF en una URI, lo que permite a atacantes remotos saltar el mecanismo de protección XSS y generar ataques XSS o de redirección, como se ha demostrado por las cabeceras HTTP (1) Location y (2) Set-Cookie. NOTA: El fabricante mantiene que el filtro XSS de manera intencionada no intenta "abordar todas las hipótesis de ataque XSS".

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-12-12 CVE Reserved
2008-12-12 CVE Published
2024-07-28 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/archive/1/499124/100/0/threaded	Mailing List
https://exchange.xforce.ibmcloud.com/vulnerabilities/47277	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/47443	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"				8 Search vendor "Microsoft" for product "Internet Explorer" and version "8"		beta2		Affected