Vulnerability Name:

CVE-2004-1155 (CCN-18397)

Assigned:2004-12-08
Published:2004-12-08
Updated:2021-07-23
Summary:Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.
Note: later research shows that Internet Explorer 7 on Windows XP SP2 is also vulnerable.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Other
References:Source: CCN
Type: Microsoft Security Response Center Blog, Tuesday, October 31, 2006 2:05
Information on New Address Bar Issue

Source: MITRE
Type: CNA
CVE-2004-1122

Source: MITRE
Type: CNA
CVE-2004-1155

Source: MITRE
Type: CNA
CVE-2004-1156

Source: MITRE
Type: CNA
CVE-2004-1157

Source: MITRE
Type: CNA
CVE-2004-1158

Source: MITRE
Type: CNA
CVE-2004-1160

Source: MITRE
Type: CNA
CVE-2004-1314

Source: CCN
Type: RHSA-2005-009
kdelibs

Source: CCN
Type: RHSA-2005-176
firefox security update

Source: CCN
Type: RHSA-2005-384
Mozilla security update

Source: CCN
Type: SA12892
Safari Dialog Box Spoofing Vulnerability

Source: CCN
Type: SA13129
Mozilla / Mozilla Firefox Window Injection Vulnerability

Source: CCN
Type: SA13251
Microsoft Internet Explorer Window Injection Vulnerability

Source: SECUNIA
Type: UNKNOWN
13251

Source: CCN
Type: SA13252
Safari Window Injection Vulnerability

Source: CCN
Type: SA13253
Opera Window Injection Vulnerability

Source: CCN
Type: SA13254
Konqueror Window Injection Vulnerability

Source: CCN
Type: SA13402
Netscape Window Injection Vulnerability

Source: CCN
Type: SA22628
Internet Explorer 7 Window Injection Vulnerability

Source: SECUNIA
Type: UNKNOWN
22628

Source: MISC
Type: Vendor Advisory
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

Source: MISC
Type: UNKNOWN
http://secunia.com/secunia_research/2004-13/advisory/

Source: CCN
Type: CIAC INFORMATION BULLETIN P-149
Firefox Security Update

Source: CCN
Type: GLSA-200412-16
kdelibs, kdebase: Multiple vulnerabilities

Source: CCN
Type: GLSA-200502-17
Opera: Multiple vulnerabilities

Source: CCN
Type: GLSA-200503-10
Mozilla Firefox: Various vulnerabilities

Source: CCN
Type: GLSA-200503-30
Mozilla Suite: Multiple vulnerabilities

Source: CCN
Type: Fedora Update Notification FEDORA-2004-548
Fedora: kdelibs-3.2.2-10.FC2 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-549
kdebase-3.2.2-8.FC2 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-550
kdelibs-3.3.1-2.4.FC3 update

Source: CCN
Type: Fedora Update Notification FEDORA-2004-551
kdebase-3.3.1-4.3.FC3 update

Source: CCN
Type: OSVDB ID: 12313
Microsoft IE Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 13183
Apple Safari Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 59844
Opera Cross-domain Browser Window Injection Content Spoofing

Source: CCN
Type: OSVDB ID: 59845
Netscape Cross-domain Browser Window Injection Content Spoofing

Source: BUGTRAQ
Type: UNKNOWN
20061025 IE7 status: 8 days after release, 3 unfixed issues

Source: CCN
Type: BID-11852
Netscape Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11853
KDE Konqueror Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11854
Mozilla Browser and Mozilla Firefox Remote Window Hijacking Vulnerability

Source: BID
Type: Exploit, Vendor Advisory
11855

Source: CCN
Type: BID-11855
Microsoft Internet Explorer Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11856
Opera Web Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11857
Apple Safari Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11875
Omni Group OmniWeb Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: BID-11876
ICab Web Browser Remote Window Hijacking Vulnerability

Source: CCN
Type: USN-149-3
Ubuntu 4.10 update for Firefox vulnerabilities

Source: XF
Type: UNKNOWN
web-browser-popup-spoofing(18397)

Source: SUSE
Type: SUSE-SA:2005:034
opera: various problems

Source: SUSE
Type: SUSE-SR:2004:004
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2004:005
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2005:001
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2005:003
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:ie:5.0.1:*:windows_98:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:5.0.1:*:windows_nt_4.0:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:5.0.1:*:windows_2000:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:5.0.1:*:windows_95:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:preview:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp4:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:5.2.3:*:macintosh:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:7.0:windows_xp_sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:netscape:navigator:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:safari:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:opera:opera_browser:7.54:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.1:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora_core:2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.2:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora_core:3:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.1::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64:*:*:*:*:*
  • OR cpe:/o:suse:suse_linux:9.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft ie 5.0.1
    microsoft ie 5.0.1
    microsoft internet explorer 5.5 sp1
    microsoft internet explorer 5.5 sp2
    microsoft ie 5.0.1
    microsoft ie 5.0.1
    microsoft internet explorer 5.5
    microsoft internet explorer 5.5 preview
    microsoft internet explorer 5.0.1
    microsoft internet explorer 5.0.1 sp4
    microsoft ie 5.2.3
    microsoft ie 6.0 sp1
    microsoft ie 7.0 windows_xp_sp2
    microsoft ie 6.0 sp2
    microsoft internet explorer 5.0.1 sp2
    microsoft internet explorer 5.0.1 sp3
    microsoft internet explorer 5.0.1 sp1
    microsoft internet explorer 6.0
    microsoft ie 6.0
    netscape navigator 7.2
    mozilla mozilla 1.7.3
    apple safari 1.2.4
    mozilla firefox 1.0
    opera opera browser 7.54
    gentoo linux *
    microsoft windows xp - sp1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    suse suse linux 8.2
    suse suse linux 9.0
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.1
    redhat enterprise linux 3
    fedoraproject fedora core 2
    microsoft windows xp sp2
    suse suse linux 9.2
    mandrakesoft mandrake linux 10.1
    fedoraproject fedora core 3
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat linux advanced workstation 2.1
    mandrakesoft mandrake linux 10.1
    mandrakesoft mandrake linux 10.0
    suse suse linux 9.3