Vulnerability Name:

CVE-2011-2382 (CCN-67890)

Assigned:2011-05-26
Published:2011-05-26
Updated:2021-07-23
Summary:Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 beta, does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Obtain Information
References:Source: MISC
Type: UNKNOWN
http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388

Source: MITRE
Type: CNA
CVE-2011-2382

Source: MITRE
Type: CNA
CVE-2011-2383

Source: MISC
Type: UNKNOWN
http://ju12.tistory.com/attachment/cfile4.uf@151FAB4C4DDC9E0002A6FE.ppt

Source: CCN
Type: CNET News Web site
Security researcher finds 'cookiejacking' risk in IE

Source: MISC
Type: UNKNOWN
http://news.cnet.com/8301-1009_3-20066419-83.html

Source: CCN
Type: SA45565
Microsoft Internet Explorer Internet Explorer Iframe Cookie Disclosure Weakness

Source: CCN
Type: Microsoft Security Bulletin MS11-099
Cumulative Security Update for Internet Explorer (2618444)

Source: CCN
Type: Microsoft Security Bulletin MS12-010
Cumulative Security Update for Internet Explorer (2647516)

Source: CCN
Type: Microsoft Security Bulletin MS12-023
Cumulative Security Update for Internet Explorer (2675157)

Source: CCN
Type: Microsoft Security Bulletin MS12-037
Cumulative Security Update for Internet Explorer (2699988)

Source: CCN
Type: Microsoft Security Bulletin MS12-044
Cumulative Security Update for Internet Explorer (2719177)

Source: CCN
Type: Microsoft Security Bulletin MS12-052
Cumulative Security Update for Internet Explorer (2722913)

Source: MISC
Type: UNKNOWN
http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/

Source: MISC
Type: UNKNOWN
http://www.informationweek.com/news/security/vulnerabilities/229700031

Source: CCN
Type: Microsoft Security Bulletin MS11-057
Cumulative Security Update for Internet Explorer (2559049)

Source: CCN
Type: Microsoft Security Bulletin MS11-081
Cumulative Security Update for Internet Explorer (2586448)

Source: CCN
Type: Microsoft Web site
Internet Explorer: Home Page

Source: MISC
Type: UNKNOWN
http://www.networkworld.com/community/node/74259

Source: CCN
Type: OSVDB ID: 72724
Microsoft IE Cookie Jacking Account Authentication Bypass

Source: CCN
Type: BID-47989
Microsoft Internet Explorer Cross Zone Local Cookie File Access Security Bypass Vulnerability

Source: MISC
Type: UNKNOWN
http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

Source: MISC
Type: UNKNOWN
http://www.youtube.com/watch?v=V95CX-3JpK0

Source: MISC
Type: UNKNOWN
http://www.youtube.com/watch?v=VsSkcnIFCxM

Source: XF
Type: UNKNOWN
ms-ie-crosszonedraganddrop-info-disc(67890)

Source: MISC
Type: UNKNOWN
https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:9:beta:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0.5730:unknown:gold:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.72.3612.1713:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.0518.10:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.0910.1309:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2919.3800:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2919.6307:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2920.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3103.1000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4522.1800:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.2462.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.2479.0006:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.2800.1106:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2900.2180:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:beta:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:*:*:*:*:*:*:*:* (Version <= 8)
  • OR cpe:/a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.0.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.01:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.01:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.40.520:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.70.1155:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.70.1158:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.70.1215:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.70.1300:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.71.544:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.71.1008.3:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.71.1712.6:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.72.3110.8:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2314.1003:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2516.1900:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3314.2101:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3502.1000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3700.1000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.3825.1300:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4134.0100:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4308.2900:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4807.2300:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:preview:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2600:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2800:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2800.1106:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0.2900:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.2600.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0.5730.11:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.2900.2180:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.3718.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.3790.3959:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.00.5730.1100:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.00.6000.16441:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.0.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.40.308:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:4.72.2106.8:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp4:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.0.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2014.0216:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2614.3500:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.2919.800:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3105.0106:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.00.3315.1000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4030.2400:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.50.4134.0600:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.3663.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.3790.0000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.00.3790.1830:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.00.6000.16386:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:8.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    microsoft internet explorer 4.0
    microsoft internet explorer 3.0
    microsoft internet explorer 5
    microsoft ie 9 beta
    microsoft internet explorer 7.0.5730 unknown
    microsoft internet explorer 3.0.2
    microsoft internet explorer 3.0.1
    microsoft internet explorer 4.5
    microsoft internet explorer 4.1
    microsoft internet explorer 5.1
    microsoft internet explorer 5.2.3
    microsoft internet explorer 5.01
    microsoft internet explorer 5.01 sp3
    microsoft internet explorer 5.5 sp2
    microsoft internet explorer 4.72.3612.1713
    microsoft internet explorer 5.0.1 sp2
    microsoft internet explorer 5.0.1 sp3
    microsoft internet explorer 5.00.0518.10
    microsoft internet explorer 5.00.0910.1309
    microsoft internet explorer 5.00.2919.3800
    microsoft internet explorer 5.00.2919.6307
    microsoft internet explorer 5.00.2920.0000
    microsoft internet explorer 5.00.3103.1000
    microsoft internet explorer 5.50.4522.1800
    microsoft internet explorer 5.5
    microsoft internet explorer 5.5 sp1
    microsoft internet explorer 6.00.2462.0000
    microsoft internet explorer 6.00.2479.0006
    microsoft internet explorer 6.0
    microsoft internet explorer 6.00.2800.1106
    microsoft internet explorer 6.0.2900.2180
    microsoft internet explorer 7.0 beta
    microsoft internet explorer 7.0 beta2
    microsoft internet explorer *
    microsoft internet explorer 6 sp1
    microsoft internet explorer 7
    microsoft internet explorer 6
    microsoft internet explorer 3.1
    microsoft internet explorer 3.2
    microsoft internet explorer 4.0.1
    microsoft internet explorer 4.0.1 sp2
    microsoft internet explorer 4.01
    microsoft internet explorer 4.01 sp1
    microsoft internet explorer 4.40.520
    microsoft internet explorer 4.70.1155
    microsoft internet explorer 4.70.1158
    microsoft internet explorer 4.70.1215
    microsoft internet explorer 4.70.1300
    microsoft internet explorer 4.71.544
    microsoft internet explorer 4.71.1008.3
    microsoft internet explorer 4.71.1712.6
    microsoft internet explorer 4.72.3110.8
    microsoft internet explorer 5.0
    microsoft internet explorer 5.0.1
    microsoft internet explorer 5.00.2314.1003
    microsoft internet explorer 5.00.2516.1900
    microsoft internet explorer 5.00.3314.2101
    microsoft internet explorer 5.00.3502.1000
    microsoft internet explorer 5.00.3700.1000
    microsoft internet explorer 5.50.3825.1300
    microsoft internet explorer 5.50.4134.0100
    microsoft internet explorer 5.50.4308.2900
    microsoft internet explorer 5.50.4807.2300
    microsoft internet explorer 5.01 sp1
    microsoft internet explorer 5.5 preview
    microsoft internet explorer 6.0.2600
    microsoft internet explorer 6.0.2800
    microsoft internet explorer 6.0.2800.1106
    microsoft internet explorer 6.0.2900
    microsoft internet explorer 6.00.2600.0000
    microsoft internet explorer 7.0.5730.11
    microsoft internet explorer 6.00.2900.2180
    microsoft internet explorer 6.00.3718.0000
    microsoft internet explorer 6.00.3790.3959
    microsoft internet explorer 7.0 beta1
    microsoft internet explorer 7.00.5730.1100
    microsoft internet explorer 7.00.6000.16441
    microsoft internet explorer 5.01 sp4
    microsoft internet explorer 4.0.1 sp1
    microsoft internet explorer 4.40.308
    microsoft internet explorer 4.72.2106.8
    microsoft internet explorer 5.0.1 sp4
    microsoft internet explorer 5.0.1 sp1
    microsoft internet explorer 5.00.2014.0216
    microsoft internet explorer 5.00.2614.3500
    microsoft internet explorer 5.00.2919.800
    microsoft internet explorer 5.00.3105.0106
    microsoft internet explorer 5.00.3315.1000
    microsoft internet explorer 5.50.4030.2400
    microsoft internet explorer 5.50.4134.0600
    microsoft internet explorer 5.01 sp2
    microsoft internet explorer 7.0
    microsoft internet explorer 6.00.3663.0000
    microsoft internet explorer 6.00.3790.0000
    microsoft internet explorer 6.00.3790.1830
    microsoft internet explorer 7.0 beta3
    microsoft internet explorer 7.00.6000.16386
    microsoft ie 6.0
    microsoft ie 7.0
    microsoft ie 8.0