Vulnerability CVE-2008-4033
Published: 2008-11-12   Modified: 2012-02-12

Description:
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."

Vendor: Microsoft
Product: 20007 office system 
Version: sp1;
Product: Xml core services 
Version:
6.0
5.0
4.0
3.0
Product: Office sharepoint server 
Version: 2007;
Product: Office groove server 
Version: 2007;
Product: Office 
Version: 2003;
Product: Word viewer 
Version: 2003;
Product: Expression web 
Version: 2;
Product: Office compatibility pack for word excel ppt 2007 

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.us-cert.gov/cas/techalerts/TA08-316A.html
http://www.securityfocus.com/bid/32204
http://www.vupen.com/english/advisories/2008/3111
http://www.microsoft.com/technet/security/Bulletin/MS08-069.mspx
http://securitytracker.com/id?1021164
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5847
http://marc.info/?l=bugtraq&m=122703006921213&w=2

Related CVE
CVE-2018-0983
 Windows Storage Services in Windows 10 versions 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way objects are handled in memory, aka "Windows Storage Services...
CVE-2018-0977
 The Windows kernel mode driver in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to how objects are handled in memory, aka "Win32k Elevation of Priv...
CVE-2018-0947
 Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016 allow an elevation of privilege vulnerability to due how specially crafted web requests are sanitized, aka "Microsoft SharePoint Elevation of Privilege Vulnerabi...
CVE-2018-0944
 Microsoft Project Server 2013 SP1 and Microsoft SharePoint Enterprise Server 2016 allows an elevation of privilege vulnerability to due how specially crafted web requests are sanitized, aka "Microsoft SharePoint Elevation of Privilege Vulnerability"....
CVE-2018-0942
 Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allow elevation of privilege, due to how In...
CVE-2018-0941
 Microsoft Exchange Server 2016 Cumulative Update 7 and Microsoft Exchange Server 2016 Cumulative Update 8 allow an information disclosure vulnerability due to how data is imported, aka "Microsoft Exchange Information Disclosure Vulnerability". This C...
CVE-2018-0940
 Microsoft Exchange Outlook Web Access (OWA) in Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 20, Microsoft Exchange Server 2013 Cumulative Update 18, Microsoft Exchange Server 2013 Cumulative Update 19, Microsoft Exchange Server 2013 Se...
CVE-2018-0939
 ChakraCore and Microsoft Edge in Windows 10 1703 and 1709 allow information disclosure, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0891.
Copyright 2018, cxsecurity.com

 

Back to Top