Vulnerability CVE-2008-4033
Published: 2008-11-12   Modified: 2012-02-12

Description:
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."

Vendor: Microsoft
Product: 20007 office system 
Version: sp1;
Product: Xml core services 
Version:
6.0
5.0
4.0
3.0
Product: Office sharepoint server 
Version: 2007;
Product: Office groove server 
Version: 2007;
Product: Office 
Version: 2003;
Product: Word viewer 
Version: 2003;
Product: Expression web 
Version: 2;
Product: Office compatibility pack for word excel ppt 2007 

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.us-cert.gov/cas/techalerts/TA08-316A.html
http://www.securityfocus.com/bid/32204
http://www.vupen.com/english/advisories/2008/3111
http://www.microsoft.com/technet/security/Bulletin/MS08-069.mspx
http://securitytracker.com/id?1021164
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5847
http://marc.info/?l=bugtraq&m=122703006921213&w=2

Related CVE
CVE-2018-8404
 An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows Server 2012, Wi...
CVE-2018-8398
 An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Win...
CVE-2018-8394
 An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Win...
CVE-2018-8349
 A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Wind...
CVE-2018-8348
 An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka "Windows Kernel Information Disclosure Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 200...
CVE-2018-8345
 A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windo...
CVE-2018-8344
 A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8...
CVE-2018-8343
 An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows NDIS Elevation of Privilege Vulnerability." This affec...
Copyright 2018, cxsecurity.com

 

Back to Top