CVE-2012-2423

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, provide different responses to remote requests depending on whether a ZIP pathname is valid, which allows remote attackers to obtain potentially sensitive information about the installation path and product version via a series of requests involving the Msxml2.XMLHTTP object.

Los manejadores intu-help-qb (también conocido como Intuit Help System Async Pluggable Protocol) en HelpAsyncPluggableProtocol.dll en Intuit QuickBooks v2009 hasta v2012, cuando se utiliza Internet Explorer, proporciona respuestas diferentes a las peticiones remotas, dependiendo de si un nombre de ruta ZIP es válido, lo que permite a atacantes remotos obtener información potencialmente sensible acerca de la ruta de instalación y versión del producto a través de una serie de peticiones que implican al objeto Msxml2.XMLHTTP.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Adjacent

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-04-25 CVE Reserved
2012-04-25 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (3)

URL	Tag	Source
http://www.kb.cert.org/vuls/id/232979	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/75174	Vdb Entry

URL	Date	SRC
http://www.securityfocus.com/archive/1/522139	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Intuit Search vendor "Intuit"	Quickbooks Search vendor "Intuit" for product "Quickbooks"	2009 Search vendor "Intuit" for product "Quickbooks" and version "2009"	-	Affected	in	Microsoft Search vendor "Microsoft"	Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"	*	-	Safe
Intuit Search vendor "Intuit"	Quickbooks Search vendor "Intuit" for product "Quickbooks"	2010 Search vendor "Intuit" for product "Quickbooks" and version "2010"	-	Affected	in	Microsoft Search vendor "Microsoft"	Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"	*	-	Safe
Intuit Search vendor "Intuit"	Quickbooks Search vendor "Intuit" for product "Quickbooks"	2011 Search vendor "Intuit" for product "Quickbooks" and version "2011"	-	Affected	in	Microsoft Search vendor "Microsoft"	Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"	*	-	Safe
Intuit Search vendor "Intuit"	Quickbooks Search vendor "Intuit" for product "Quickbooks"	2012 Search vendor "Intuit" for product "Quickbooks" and version "2012"	-	Affected	in	Microsoft Search vendor "Microsoft"	Internet Explorer Search vendor "Microsoft" for product "Internet Explorer"	*	-	Safe