Vulnerability 11466 - CERT Civis.Net

Vulnerability Name:

CCN-11466

Published:

2003-02-25

Updated:

2003-02-25

Summary:

Microsoft Internet Explorer could allow a remote attacker to execute arbitrary commands on a victim's computer, caused by improper parsing of embedded script in HTML files when used to reference an embedded executable. A remote attacker could create a malicious Web page that contains an embedded EXE file that is referenced by embedded script. Once a victim views the malicious page, the malicious EXE file would be executed within the victim's Web browser, which could possibly allow the attacker to read files or execute commands on the victim's computer.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Consequences:

Gain Access

References:

Source: CCN
Type: BugTraq Mailing List, Tue Feb 25 2003 - 15:44:46 CST
Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II

Source: CCN
Type: BID-6961
Microsoft Internet Explorer Self Executing HTML File Vulnerability

Source: XF
Type: UNKNOWN
ie-embedded-exe-execution(11466)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:microsoft:internet_explorer:5.5:-:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_explorer:5.5:sp1:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:*

OR cpe:/a:microsoft:ie:6.0:sp1:*:*:*:*:*:*

Denotes that component is vulnerable

BACK