Vulnerability Name:

CVE-2007-2223 (CCN-35195)

Assigned:2007-08-14
Published:2007-08-14
Updated:2019-02-27
Summary:Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringData method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-190
CWE-119
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Thu Aug 16 2007 - 04:32:10 CDT
MS07-042 XMLDOM substringData() PoC

Source: MITRE
Type: CNA
CVE-2007-2223

Source: CCN
Type: HP Security Bulletin HPSBST02255 SSRT071456 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-042 to MS07-050

Source: IDEFENSE
Type: Broken Link
20070814 Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability

Source: CCN
Type: SA26447
Microsoft XML Core Services "substringData()" Integer Overflow Vulnerability

Source: SECUNIA
Type: Vendor Advisory
26447

Source: CCN
Type: SECTRACK ID: 1018559
Microsoft Core XML Services Memory Corruption Error Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: ASA-2007-356
MS07-042 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)

Source: CCN
Type: Microsoft Security Bulletin MS12-043
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)

Source: CCN
Type: Microsoft Security Bulletin MS13-002
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145)

Source: CCN
Type: Microsoft Security Bulletin MS14-005
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2916036)

Source: CCN
Type: Microsoft Security Bulletin MS14-067
Vulnerability in XML Core Services Could Allow Remote Code Execution

Source: CCN
Type: Microsoft Security Bulletin MS15-084
Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129)

Source: CCN
Type: Microsoft Security Bulletin MS16-040
Security Update for Microsoft XML Core Service (3148541)

Source: CCN
Type: Microsoft Security Bulletin MS17-022
Security Update for Microsoft XML Core Services (4010321)

Source: CCN
Type: Microsoft Security Bulletin MS14-033
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure (2966061)

Source: CCN
Type: IBM Internet Security Systems Protection Alert - Aug. 14, 2007
Microsoft XML Core Services Remote Code Execution

Source: CCN
Type: US-CERT VU#361968
Microsoft XML Core Services XMLDOM substringData() buffer overflow

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#361968

Source: CCN
Type: Microsoft Security Bulletin MS07-042
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227

Source: CCN
Type: Microsoft Security Bulletin MS08-069
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

Source: CCN
Type: Microsoft Security Bulletin MS10-051
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20070814 ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow Vulnerability

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20070816 MS07-042 XMLDOM substringData() PoC

Source: BID
Type: Third Party Advisory, VDB Entry
25301

Source: CCN
Type: BID-25301
Microsoft XML Core Services SubstringData Integer Overflow Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1018559

Source: VUPEN
Type: Vendor Advisory
ADV-2007-2866

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.zerodayinitiative.com/advisories/ZDI-07-048/

Source: MS
Type: Patch, Vendor Advisory
MS07-042

Source: XF
Type: UNKNOWN
msxml-request-code-execution(35195)

Source: CCN
Type: iDefense Labs PUBLIC ADVISORY: 08.14.07
Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:2069

Source: CCN
Type: ZDI-07-048
Microsoft Internet Explorer substringData() Heap Overflow Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:-:sp1:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:x86:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:gold:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_xp:-:*:*:*:professional:*:x64:*
  • OR cpe:/o:microsoft:windows_xp:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*
  • OR cpe:/o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*

    • Configuration 3:
  • cpe:/a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:expression_web:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2003:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_compatibility_pack:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_groove_server:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office_sharepoint_server:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:word_viewer:2003:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/a:microsoft:word_viewer:2003:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*
  • OR cpe:/a:microsoft:office_compatibility_pack:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:sharepoint_server:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:groove_server:2007:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2007:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:expression_web:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:2069
    V
    		Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
    2014-03-17
    BACK
    microsoft xml core services 3.0
    microsoft xml core services 4.0
    microsoft xml core services 6.0
    microsoft windows server 2003 *
    microsoft windows server 2003 - sp1
    microsoft windows server 2003 - sp1
    microsoft windows server 2003 - sp2
    microsoft windows vista -
    microsoft windows vista -
    microsoft windows vista - gold
    microsoft windows vista - sp1
    microsoft windows xp -
    microsoft windows xp - sp2
    microsoft windows xp - sp2
    microsoft windows xp - sp3
    microsoft xml core services 4.0
    microsoft windows server 2008 -
    microsoft windows server 2008 -
    microsoft xml core services 5.0
    microsoft expression web *
    microsoft office 2003 sp2
    microsoft office 2007
    microsoft office compatibility pack 2007
    microsoft office groove server 2007
    microsoft office sharepoint server *
    microsoft word viewer 2003
    microsoft xml core services 3.0
    microsoft xml core services 4.0
    microsoft xml core services 6.0
    microsoft xml core services 5.0
    microsoft windows 2000 - sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium
    microsoft word viewer 2003
    microsoft office 2003 sp2
    microsoft windows vista *
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows vista -
    microsoft windows xp sp2
    microsoft office compatibility pack 2007
    microsoft sharepoint server *
    microsoft groove server 2007 sp2
    microsoft office 2007
    microsoft expression web *