CVE-2011-2383
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.
Microsoft Internet Explorer versión 9 y anteriores, no restringen apropiadamente las acciones de arrastrar y soltar en zona cruzada, lo que permite a los atacantes remotos asistidos por el usuario leer archivos de cookies por medio de vectores que involucran un elemento IFRAME con un atributo SRC que contiene una URL http: que redirecciona hacia URL file:, como es demostrado por un juego de Facebook, relacionado con un problema de "cookiejacking", también se conoce como "Drag and Drop Information Disclosure Vulnerability". NOTA: esta vulnerabilidad se presenta debido a una corrección incompleta en la versión 9 de Internet Explorer.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-06-03 CVE Reserved
- 2011-06-03 CVE Published
- 2024-08-06 CVE Updated
- 2024-10-29 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388 | X_refsource_misc | |
| http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt | X_refsource_misc | |
| http://news.cnet.com/8301-1009_3-20066419-83.html | X_refsource_misc | |
| http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503 | X_refsource_misc | |
| http://www.informationweek.com/news/security/vulnerabilities/229700031 | X_refsource_misc | |
| http://www.networkworld.com/community/node/74259 | X_refsource_misc | |
| http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking | X_refsource_misc | |
| http://www.youtube.com/watch?v=V95CX-3JpK0 | X_refsource_misc | |
| http://www.youtube.com/watch?v=VsSkcnIFCxM | X_refsource_misc | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820 | Signature | |
| https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Ie Search vendor "Microsoft" for product "Ie" | 9 Search vendor "Microsoft" for product "Ie" and version "9" | beta |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | <= 9 Search vendor "Microsoft" for product "Internet Explorer" and version " <= 9" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 3.0 Search vendor "Microsoft" for product "Internet Explorer" and version "3.0" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 4.0 Search vendor "Microsoft" for product "Internet Explorer" and version "4.0" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 5 Search vendor "Microsoft" for product "Internet Explorer" and version "5" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 6 Search vendor "Microsoft" for product "Internet Explorer" and version "6" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 7 Search vendor "Microsoft" for product "Internet Explorer" and version "7" | - |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Internet Explorer Search vendor "Microsoft" for product "Internet Explorer" | 8 Search vendor "Microsoft" for product "Internet Explorer" and version "8" | - |
Affected
| ||||||