| Vulnerability Name: | CVE-2008-1448 (CCN-42679) | ||||||||
| Assigned: | 2008-08-12 | ||||||||
| Published: | 2008-08-12 | ||||||||
| Updated: | 2018-10-12 | ||||||||
| Summary: | The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability." | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:N/A:N) 5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-1448 Source: HP Type: UNKNOWN HPSBST02360 Source: CCN Type: SA31415 Internet Explorer MHTML Protocol Handler Cross-Domain Information Disclosure Source: SECUNIA Type: Patch, Vendor Advisory 31415 Source: CCN Type: SECTRACK ID: 1020679 Microsoft Outlook Express MTHML Redirect Bug Lets Remote Users Obtain Information Source: CCN Type: SECTRACK ID: 1020680 Windows Mail MTHML Redirect Bug Lets Remote Users Obtain Information Source: CCN Type: CORE-2008-0103 Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass Source: MISC Type: UNKNOWN http://www.coresecurity.com/content/internet-explorer-zone-elevation Source: CCN Type: Microsoft Security Bulletin MS08-048 Security Update for Outlook Express and Windows Mail (951066) Source: CCN Type: Microsoft Security Bulletin MS09-037 Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. (973908) Source: CCN Type: Microsoft Security Bulletin MS10-030 Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) Source: BUGTRAQ Type: UNKNOWN 20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass Source: BID Type: Patch 30585 Source: CCN Type: BID-30585 Microsoft Outlook Express And Windows Mail MHTML Handler Information Disclosure Vulnerability Source: SECTRACK Type: UNKNOWN 1020679 Source: SECTRACK Type: UNKNOWN 1020680 Source: CERT Type: US Government Resource TA08-225A Source: VUPEN Type: Vendor Advisory ADV-2008-2352 Source: MS Type: UNKNOWN MS08-048 Source: XF Type: UNKNOWN outlook-mhtml-information-disclosure(42679) Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:5886 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||