Vulnerability Name:

CVE-2007-3091 (CCN-34696)

Assigned:2007-06-04
Published:2007-06-04
Updated:2021-07-23
Summary:Race condition in Microsoft Internet Explorer 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 allows remote attackers to execute arbitrary code or perform other actions upon a page transition, with the permissions of the old page and the content of the new page, as demonstrated by setInterval functions that set location.href within a try/catch expression, aka the "bait & switch vulnerability" or "Race Condition Cross-Domain Information Disclosure Vulnerability."
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C)
5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
2.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-362
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: Full-Disclosure Mailing List, Mon Jun 04 2007 - 06:02:40 CDT
Assorted browser vulnerabilities

Source: FULLDISC
Type: UNKNOWN
20070604 Assorted browser vulnerabilities

Source: MITRE
Type: CNA
CVE-2007-3091

Source: MISC
Type: UNKNOWN
http://lcamtuf.coredump.cx/ierace/

Source: OSVDB
Type: UNKNOWN
38497

Source: OSVDB
Type: UNKNOWN
54944

Source: CCN
Type: SA25564
Internet Explorer Page Loading Race Condition and URL Spoofing

Source: SECUNIA
Type: Vendor Advisory
25564

Source: SREASON
Type: UNKNOWN
2781

Source: CCN
Type: SECTRACK ID: 1018192
Microsoft Internet Explorer Input Validation Hole Permits Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1018192

Source: CCN
Type: ASA-2009-221
MS09-019 Cumulative Security Update for Internet Explorer (969897)

Source: CCN
Type: NORTEL BULLETIN ID: 2009009559, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-019

Source: CCN
Type: US-CERT VU#471361
Microsoft Internet Explorer cross-domain frame race condition

Source: CERT-VN
Type: US Government Resource
VU#471361

Source: CCN
Type: Microsoft Security Bulletin MS07-033
Cumulative Security Update for Internet Explorer (933566)

Source: CCN
Type: Microsoft Security Bulletin MS09-019
Cumulative Security Update for Internet Explorer (969897)

Source: CCN
Type: Microsoft Internet Explorer Web site
Internet Explorer: Home Page

Source: CCN
Type: OSVDB ID: 38497
Microsoft IE Page Transaction Race Condition Arbitrary Code Execution

Source: CCN
Type: OSVDB ID: 54944
Microsoft IE Race Condition Cross-Domain Information Disclosure

Source: BUGTRAQ
Type: UNKNOWN
20070604 Assorted browser vulnerabilities

Source: BID
Type: Patch
24283

Source: CCN
Type: BID-24283
Microsoft Internet Explorer JavaScript Cross Domain Information Disclosure Vulnerability

Source: CERT
Type: US Government Resource
TA09-160A

Source: VUPEN
Type: Vendor Advisory
ADV-2007-2064

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-1538

Source: MS
Type: UNKNOWN
MS09-019

Source: XF
Type: UNKNOWN
ie-pageupdate-security-bypass(34696)

Source: XF
Type: UNKNOWN
ie-pageupdate-security-bypass(34696)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:6041

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp1:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:professional:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp1:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:sp2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:internet_explorer:6:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:-:x64:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*
  • AND
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:6041
    V
    		Race Condition Cross-Domain Information Disclosure Vulnerability
    2014-08-18
    BACK
    microsoft windows 2003 server sp1
    microsoft windows 2003 server sp1
    microsoft windows xp * sp2
    microsoft windows 2003 server sp2
    microsoft windows 2003 server sp2
    microsoft windows xp * sp2
    microsoft windows xp * sp2
    microsoft windows 2003 server sp1
    microsoft windows 2003 server sp2
    microsoft internet explorer 6
    microsoft internet explorer 7.0
    microsoft windows 2000 * sp4
    microsoft internet explorer 6 sp1
    microsoft windows vista * sp1
    microsoft windows vista - sp2
    microsoft windows server 2008 - -
    microsoft windows server 2008 - sp2
    microsoft windows server 2008 - sp2
    microsoft windows server 2008 - -
    microsoft windows server 2008 - sp2
    microsoft windows vista *
    microsoft windows vista - sp1
    microsoft windows vista - -
    microsoft internet explorer 7.0
    microsoft ie 6.0
    microsoft ie 6.0 sp1
    microsoft ie 7.0
    microsoft windows server 2008 -
    microsoft windows server 2008
    microsoft windows 2000 - sp4
    microsoft windows xp sp2
    microsoft windows vista *
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows vista -
    microsoft windows xp sp2
    microsoft windows vista - sp1
    microsoft windows vista - sp1
    microsoft windows server 2008 -
    microsoft windows server 2008 -
    microsoft windows xp sp3
    microsoft windows vista - sp2
    microsoft windows vista - sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2