Vulnerability Name:

CVE-2002-0027 (CCN-7737)

Assigned:2001-12-19
Published:2001-12-19
Updated:2021-07-23
Summary:Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: BugTraq Mailing List, Wed Dec 19 2001 - 17:59:14 CST
Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug

Source: CCN
Type: BugTraq Mailing List, Sat Feb 09 2002 - 14:34:51 CST
MSN Messenger Hijacking

Source: MITRE
Type: CNA
CVE-2002-0027

Source: CCN
Type: Microsoft Product Support Services
List of Fixes in Microsoft Internet Explorer 6 SP1

Source: CCN
Type: CERT Tech Tips, February 2, 2000
Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites

Source: CCN
Type: CIAC Information Bulletin M-041
Microsoft Internet Explorer Cumulative Patch

Source: CCN
Type: US-CERT VU#598147
Microsoft Internet Explorer does not properly handle document.open()

Source: CCN
Type: Microsoft Security Bulletin MS00-033
Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", and "Malformed Component Attribute" Vulnerabilities

Source: CCN
Type: Microsoft Security Bulletin MS00-055
Patch Available for 'Scriptlet Rendering' Vulnerability

Source: CCN
Type: Microsoft Security Bulletin MS00-093
Patch Available for "Browser Print Template" and "File Upload via Form" Vulnerabilities

Source: CCN
Type: Microsoft Security Bulletin MS01-015
IE can Divulge Location of Cached Content

Source: CCN
Type: Microsoft Security Bulletin MS01-027
Flaws in Web Server Certificate Validation Could Enable Spoofing

Source: CCN
Type: Microsoft Security Bulletin MS01-058
13 December 2001 Cumulative Patch for IE

Source: CCN
Type: Microsoft Security Bulletin MS02-005
11 February 2002 Cumulative Patch for Internet Explorer

Source: CCN
Type: Microsoft Security Bulletin MS02-015
28 March 2002 Cumulative Patch for Internet Explorer

Source: CCN
Type: Microsoft Security Bulletin MS02-023
15 May 2002 Cumulative Patch for Internet Explorer (Q321232)

Source: CCN
Type: Microsoft Security Bulletin MS02-047
Cumulative Patch for Internet Explorer (Q323759)

Source: CCN
Type: Microsoft Security Bulletin MS02-066
Cumulative Patch for Internet Explorer (Q328970)

Source: CCN
Type: Microsoft Security Bulletin MS02-068
Cumulative Patch for Internet Explorer (324929)

Source: CCN
Type: Microsoft Security Bulletin MS03-004
Cumulative Patch for Internet Explorer (810847)

Source: CCN
Type: Microsoft Security Bulletin MS03-015
Cumulative Patch for Internet Explorer (813489)

Source: CCN
Type: Microsoft Security Bulletin MS03-020
Cumulative Patch for Internet Explorer (818529)

Source: CCN
Type: Microsoft Security Bulletin MS03-032
Cumulative Patch for Internet Explorer (822925)

Source: CCN
Type: Microsoft Security Bulletin MS03-040
Cumulative Patch for Internet Explorer (828750)

Source: CCN
Type: Microsoft Security Bulletin MS03-048
Cumulative Security Update for Internet Explorer (824145)

Source: CCN
Type: Microsoft Security Bulletin MS04-004
Cumulative Security Update for Internet Explorer (832894)

Source: CCN
Type: Microsoft Security Bulletin MS04-025
Cumulative Security Update for Internet Explorer (867801)

Source: CCN
Type: Microsoft Security Bulletin MS04-038
Cumulative Security Update for Internet Explorer (834707)

Source: CCN
Type: Microsoft Security Bulletin MS04-040
Cumulative Security Update for Internet Explorer (889293)

Source: CCN
Type: Microsoft Security Bulletin MS05-014
Cumulative Security Update for Internet Explorer (867282)

Source: CCN
Type: Microsoft Security Bulletin MS05-020
Cumulative Security Update for Internet Explorer (890923)

Source: CCN
Type: Microsoft Security Bulletin MS05-025
Cumulative Security Update for Internet Explorer (883939)

Source: CCN
Type: Microsoft Security Bulletin MS05-038
Cumulative Security Update for Internet Explorer (896727)

Source: CCN
Type: Microsoft Security Bulletin MS05-052
Cumulative Security Update for Internet Explorer (896688)

Source: CCN
Type: Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)

Source: CCN
Type: Microsoft Security Bulletin MS06-004
Cumulative Security Update for Internet Explorer (910620)

Source: CCN
Type: Microsoft Security Bulletin MS06-013
Cumulative Security Update for Internet Explorer (912812)

Source: CCN
Type: Microsoft Security Bulletin MS06-021
Cumulative Security Update for Internet Explorer (916281)

Source: CCN
Type: Microsoft Security Bulletin MS06-042
Cumulative Security Update for Internet Explorer (918899)

Source: CCN
Type: Microsoft Security Bulletin MS06-067
Cumulative Security Update for Internet Explorer (922760)

Source: CCN
Type: Microsoft Security Bulletin MS06-072
Cumulative Security Update for Internet Explorer (925454)

Source: CCN
Type: Microsoft Security Bulletin MS07-016
Cumulative Security Update for Internet Explorer (928090)

Source: CCN
Type: Microsoft Security Bulletin MS07-027
Cumulative Security Update for Internet Explorer (931768)

Source: CCN
Type: Microsoft Security Bulletin MS07-033
Cumulative Security Update for Internet Explorer (933566)

Source: CCN
Type: Microsoft Security Bulletin MS07-045
Cumulative Security Update for Internet Explorer (937143)

Source: CCN
Type: Microsoft Security Bulletin MS07-057
Cumulative Security Update for Internet Explorer (939653)

Source: CCN
Type: Microsoft Security Bulletin MS07-069
Cumulative Security Update for Internet Explorer (942615)

Source: CCN
Type: Microsoft Security Bulletin MS08-010
Cumulative Security Update for Internet Explorer (944533)

Source: CCN
Type: Microsoft Security Bulletin MS08-024
Cumulative Security Update for Internet Explorer (947864)

Source: CCN
Type: Microsoft Security Bulletin MS08-031
Cumulative Security Update for Internet Explorer (950759)

Source: CCN
Type: Microsoft Security Bulletin MS08-045
Cumulative Security Update for Internet Explorer (953838)

Source: CCN
Type: Microsoft Security Bulletin MS08-058
Cumulative Security Update for Internet Explorer (956390)

Source: OSVDB
Type: UNKNOWN
3031

Source: CCN
Type: OSVDB ID: 2008
Microsoft IE Same Origin Policy Violation

Source: CCN
Type: OSVDB ID: 3031
Microsoft IE document.Open Same Origin Policy Violation

Source: BUGTRAQ
Type: Vendor Advisory
20011219 Internet Explorer Document.Open() Without Close() Cookie Stealing, File Reading, Site Spoofing Bug

Source: BID
Type: Exploit, Patch, Vendor Advisory
3721

Source: CCN
Type: BID-3721
Microsoft IE Same Origin Policy Violation Vulnerability

Source: MS
Type: UNKNOWN
MS02-005

Source: XF
Type: UNKNOWN
ie-same-origin-violation(7737)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:974

Source: CCN
Type: Microsoft Knowledge Base Article 317729
MS02-005: Patch Is Available for a New Variant of the "Frame Domain Verification" Vulnerability (Q317729)

Source: CCN
Type: Microsoft Knowledge Base Article 328548
How to Obtain the Latest Service Pack for Internet Explorer 6

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:internet_explorer:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:5.5:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:974
    V
    IE Frame Domain Verification Vulnerability
    2016-02-19
    BACK
    microsoft internet explorer 5.5
    microsoft internet explorer 6.0
    microsoft ie 5.5
    microsoft ie 5.5 sp1
    microsoft ie 6.0
    microsoft ie 5.5 sp2