cvelistv5 - CVE-2008-1448

CVE-2008-1448 (GCVE-0-2008-1448)

Vulnerability from cvelistv5 – Published: 2008-08-13 00:00 – Updated: 2024-08-07 08:24

Summary

The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability."

Severity ?

No CVSS data available.

CWE

Assigner

microsoft

References

URL

Tags

	http://www.securitytracker.com/id?1020679	vdb-entryx_refsource_SECTRACK
	http://www.securityfocus.com/bid/30585	vdb-entryx_refsource_BID
	http://www.us-cert.gov/cas/techalerts/TA08-225A.html	third-party-advisoryx_refsource_CERT
	http://www.coresecurity.com/content/internet-expl…	x_refsource_MISC
	https://docs.microsoft.com/en-us/security-updates…	vendor-advisoryx_refsource_MS
	http://www.securitytracker.com/id?1020680	vdb-entryx_refsource_SECTRACK
	http://marc.info/?l=bugtraq&m=121915960406986&w=2	vendor-advisoryx_refsource_HP
	http://marc.info/?l=bugtraq&m=121915960406986&w=2	vendor-advisoryx_refsource_HP
	http://www.securityfocus.com/archive/1/495458/100…	mailing-listx_refsource_BUGTRAQ
	http://secunia.com/advisories/31415	third-party-advisoryx_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2008/2352	vdb-entryx_refsource_VUPEN
	https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T08:24:41.805Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1020679",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020679"
          },
          {
            "name": "30585",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/30585"
          },
          {
            "name": "TA08-225A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
          },
          {
            "name": "MS08-048",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
          },
          {
            "name": "1020680",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020680"
          },
          {
            "name": "HPSBST02360",
            "tags": [
              "vendor-advisory",
              "x_refsource_HP",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
          },
          {
            "name": "SSRT080117",
            "tags": [
              "vendor-advisory",
              "x_refsource_HP",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
          },
          {
            "name": "20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
          },
          {
            "name": "31415",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31415"
          },
          {
            "name": "ADV-2008-2352",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2352"
          },
          {
            "name": "oval:org.mitre.oval:def:5886",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-08-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "1020679",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020679"
        },
        {
          "name": "30585",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/30585"
        },
        {
          "name": "TA08-225A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
        },
        {
          "name": "MS08-048",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
        },
        {
          "name": "1020680",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020680"
        },
        {
          "name": "HPSBST02360",
          "tags": [
            "vendor-advisory",
            "x_refsource_HP"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
        },
        {
          "name": "SSRT080117",
          "tags": [
            "vendor-advisory",
            "x_refsource_HP"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
        },
        {
          "name": "20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
        },
        {
          "name": "31415",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31415"
        },
        {
          "name": "ADV-2008-2352",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2352"
        },
        {
          "name": "oval:org.mitre.oval:def:5886",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2008-1448",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1020679",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020679"
            },
            {
              "name": "30585",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/30585"
            },
            {
              "name": "TA08-225A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
            },
            {
              "name": "http://www.coresecurity.com/content/internet-explorer-zone-elevation",
              "refsource": "MISC",
              "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
            },
            {
              "name": "MS08-048",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
            },
            {
              "name": "1020680",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020680"
            },
            {
              "name": "HPSBST02360",
              "refsource": "HP",
              "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
            },
            {
              "name": "SSRT080117",
              "refsource": "HP",
              "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
            },
            {
              "name": "20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
            },
            {
              "name": "31415",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31415"
            },
            {
              "name": "ADV-2008-2352",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2008/2352"
            },
            {
              "name": "oval:org.mitre.oval:def:5886",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2008-1448",
    "datePublished": "2008-08-13T00:00:00",
    "dateReserved": "2008-03-21T00:00:00",
    "dateUpdated": "2024-08-07T08:24:41.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"589E5F7F-5429-4050-8C0D-F7F8D18DEB3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"85FD3557-956D-4A96-8AA5-5FD9DB87FD11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"D45F2775-A10B-4834-A2EF-7498EEAB155D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0BDD015F-267D-4E33-885B-6A14F493CCC5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \\\"URL Parsing Cross-Domain Information Disclosure Vulnerability.\\\"\"}, {\"lang\": \"es\", \"value\": \"El manejador de protocolo MHTML en un componente de Outlook Express versiones 5.5 SP2 y 6 hasta SP1 y Windows Mail de Microsoft no asigna la zona de seguridad de Internet Explorer correcta a los nombres de ruta (path) de recurso compartido UNC, lo que permite a los atacantes remotos omitir las restricciones de acceso previstas y leer archivos arbitrarios por medio de un URI mhtml: en conjunto con un redireccionamiento, tambi\\u00e9n se conoce como \\\"URL Parsing Cross-Domain Information Disclosure Vulnerability\\\".\"}]",
      "id": "CVE-2008-1448",
      "lastModified": "2024-11-21T00:44:34.530",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:N/A:N\", \"baseScore\": 7.1, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2008-08-13T00:41:00.000",
      "references": "[{\"url\": \"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://secunia.com/advisories/31415\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.coresecurity.com/content/internet-explorer-zone-elevation\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://www.securityfocus.com/archive/1/495458/100/0/threaded\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://www.securityfocus.com/bid/30585\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.securitytracker.com/id?1020679\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://www.securitytracker.com/id?1020680\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://www.us-cert.gov/cas/techalerts/TA08-225A.html\", \"source\": \"secure@microsoft.com\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2008/2352\", \"source\": \"secure@microsoft.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886\", \"source\": \"secure@microsoft.com\"}, {\"url\": \"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/31415\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.coresecurity.com/content/internet-explorer-zone-elevation\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/495458/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/30585\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.securitytracker.com/id?1020679\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id?1020680\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.us-cert.gov/cas/techalerts/TA08-225A.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2008/2352\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secure@microsoft.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-1448\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2008-08-13T00:41:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \\\"URL Parsing Cross-Domain Information Disclosure Vulnerability.\\\"\"},{\"lang\":\"es\",\"value\":\"El manejador de protocolo MHTML en un componente de Outlook Express versiones 5.5 SP2 y 6 hasta SP1 y Windows Mail de Microsoft no asigna la zona de seguridad de Internet Explorer correcta a los nombres de ruta (path) de recurso compartido UNC, lo que permite a los atacantes remotos omitir las restricciones de acceso previstas y leer archivos arbitrarios por medio de un URI mhtml: en conjunto con un redireccionamiento, tambi\u00e9n se conoce como \\\"URL Parsing Cross-Domain Information Disclosure Vulnerability\\\".\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:N/A:N\",\"baseScore\":7.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"589E5F7F-5429-4050-8C0D-F7F8D18DEB3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85FD3557-956D-4A96-8AA5-5FD9DB87FD11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D45F2775-A10B-4834-A2EF-7498EEAB155D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0BDD015F-267D-4E33-885B-6A14F493CCC5\"}]}]}],\"references\":[{\"url\":\"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://secunia.com/advisories/31415\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.coresecurity.com/content/internet-explorer-zone-elevation\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://www.securityfocus.com/archive/1/495458/100/0/threaded\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://www.securityfocus.com/bid/30585\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1020679\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://www.securitytracker.com/id?1020680\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://www.us-cert.gov/cas/techalerts/TA08-225A.html\",\"source\":\"secure@microsoft.com\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2352\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048\",\"source\":\"secure@microsoft.com\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886\",\"source\":\"secure@microsoft.com\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/31415\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.coresecurity.com/content/internet-explorer-zone-elevation\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/495458/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/30585\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1020679\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id?1020680\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.us-cert.gov/cas/techalerts/TA08-225A.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.vupen.com/english/advisories/2008/2352\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

FKIE_CVE-2008-1448

Vulnerability from fkie_nvd - Published: 2008-08-13 00:41 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
secure@microsoft.com	http://marc.info/?l=bugtraq&m=121915960406986&w=2
secure@microsoft.com	http://secunia.com/advisories/31415	Patch, Vendor Advisory
secure@microsoft.com	http://www.coresecurity.com/content/internet-explorer-zone-elevation
secure@microsoft.com	http://www.securityfocus.com/archive/1/495458/100/0/threaded
secure@microsoft.com	http://www.securityfocus.com/bid/30585	Patch
secure@microsoft.com	http://www.securitytracker.com/id?1020679
secure@microsoft.com	http://www.securitytracker.com/id?1020680
secure@microsoft.com	http://www.us-cert.gov/cas/techalerts/TA08-225A.html	US Government Resource
secure@microsoft.com	http://www.vupen.com/english/advisories/2008/2352	Vendor Advisory
secure@microsoft.com	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048
secure@microsoft.com	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886
af854a3a-2127-422b-91ae-364da2661108	http://marc.info/?l=bugtraq&m=121915960406986&w=2
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31415	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.coresecurity.com/content/internet-explorer-zone-elevation
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/495458/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/30585	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020679
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020680
af854a3a-2127-422b-91ae-364da2661108	http://www.us-cert.gov/cas/techalerts/TA08-225A.html	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2352	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886

Impacted products

Vendor	Product	Version
microsoft	outlook_express	5.5
microsoft	outlook_express	6.0
microsoft	outlook_express	6.0
microsoft	windows_mail	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "589E5F7F-5429-4050-8C0D-F7F8D18DEB3A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "85FD3557-956D-4A96-8AA5-5FD9DB87FD11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "D45F2775-A10B-4834-A2EF-7498EEAB155D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BDD015F-267D-4E33-885B-6A14F493CCC5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\""
    },
    {
      "lang": "es",
      "value": "El manejador de protocolo MHTML en un componente de Outlook Express versiones 5.5 SP2 y 6 hasta SP1 y Windows Mail de Microsoft no asigna la zona de seguridad de Internet Explorer correcta a los nombres de ruta (path) de recurso compartido UNC, lo que permite a los atacantes remotos omitir las restricciones de acceso previstas y leer archivos arbitrarios por medio de un URI mhtml: en conjunto con un redireccionamiento, tambi\u00e9n se conoce como \"URL Parsing Cross-Domain Information Disclosure Vulnerability\"."
    }
  ],
  "id": "CVE-2008-1448",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2008-08-13T00:41:00.000",
  "references": [
    {
      "source": "secure@microsoft.com",
      "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31415"
    },
    {
      "source": "secure@microsoft.com",
      "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
    },
    {
      "source": "secure@microsoft.com",
      "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/30585"
    },
    {
      "source": "secure@microsoft.com",
      "url": "http://www.securitytracker.com/id?1020679"
    },
    {
      "source": "secure@microsoft.com",
      "url": "http://www.securitytracker.com/id?1020680"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
    },
    {
      "source": "secure@microsoft.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2352"
    },
    {
      "source": "secure@microsoft.com",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
    },
    {
      "source": "secure@microsoft.com",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31415"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/30585"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020679"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020680"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2008/2352"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2008-1448

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2008-1448

Aliases

CVE-2008-1448

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-1448",
    "description": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\"",
    "id": "GSD-2008-1448"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-1448"
      ],
      "details": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\"",
      "id": "GSD-2008-1448",
      "modified": "2023-12-13T01:23:02.980597Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secure@microsoft.com",
        "ID": "CVE-2008-1448",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1020679",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020679"
          },
          {
            "name": "30585",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/30585"
          },
          {
            "name": "TA08-225A",
            "refsource": "CERT",
            "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
          },
          {
            "name": "http://www.coresecurity.com/content/internet-explorer-zone-elevation",
            "refsource": "MISC",
            "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
          },
          {
            "name": "MS08-048",
            "refsource": "MS",
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
          },
          {
            "name": "1020680",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020680"
          },
          {
            "name": "HPSBST02360",
            "refsource": "HP",
            "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
          },
          {
            "name": "SSRT080117",
            "refsource": "HP",
            "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
          },
          {
            "name": "20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
          },
          {
            "name": "31415",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31415"
          },
          {
            "name": "ADV-2008-2352",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/2352"
          },
          {
            "name": "oval:org.mitre.oval:def:5886",
            "refsource": "OVAL",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2008-1448"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "30585",
              "refsource": "BID",
              "tags": [
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/30585"
            },
            {
              "name": "1020679",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020679"
            },
            {
              "name": "1020680",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020680"
            },
            {
              "name": "31415",
              "refsource": "SECUNIA",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/31415"
            },
            {
              "name": "HPSBST02360",
              "refsource": "HP",
              "tags": [],
              "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
            },
            {
              "name": "http://www.coresecurity.com/content/internet-explorer-zone-elevation",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
            },
            {
              "name": "TA08-225A",
              "refsource": "CERT",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
            },
            {
              "name": "ADV-2008-2352",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2008/2352"
            },
            {
              "name": "oval:org.mitre.oval:def:5886",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
            },
            {
              "name": "20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
            },
            {
              "name": "MS08-048",
              "refsource": "MS",
              "tags": [],
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2018-10-12T21:47Z",
      "publishedDate": "2008-08-13T00:41Z"
    }
  }
}

CERTA-2008-AVI-408

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité dans les clients de messagerie de certains systèmes Windows permet à un utilisateur malveillant de porter atteinte à la confidentialité de données.

Description

Une vulnérabilité est présente dans le traitement des adresses en MHTML. Elle permet à un utilisateur malveillant d'accéder indûment à des informations.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Windows	Windows Mail sur Windows Vista et Windows Vista x64 Edition ;
Microsoft	Windows	Outlook Express 6 Windows Server 2003 SP1 et SP2 ;
Microsoft	Windows	Windows Mail sur Windows Vista et Windows Vista x64 Edition SP1 ;
Microsoft	Windows	Windows Mail sur Windows Server 2008 pour systèmes 32 bits, x64 et Itanium.
Microsoft	Windows	Outlook Express 6 Windows XP SP2 et SP3 ;
Microsoft	Windows	Outlook Express 6 Windows XP x64 Edition avec ou sans SP2 ;
Microsoft	Windows	Outlook Express 5.5 et 6 SP1 sur Windows 2000 SP4 ;
Microsoft	Windows	Outlook Express 6 Windows Server 2003 SP1 et SP2 pour Itanium ;

References

Title

Publication Time

Tags

Bulletin Microsoft MS08-048 du 12 août 2008	None	vendor-advisory
Bulletin de sécurité Microsoft MS08-048 du 12 août 2008 :	-	other
Bulletin de sécurité Microsoft MS08-048 du 12 août 2008 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Windows Mail sur Windows Vista et Windows Vista x64 Edition ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows Server 2003 SP1 et SP2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Mail sur Windows Vista et Windows Vista x64 Edition SP1 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Mail sur Windows Server 2008 pour syst\u00e8mes 32 bits, x64 et Itanium.",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows XP SP2 et SP3 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows XP x64 Edition avec ou sans SP2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 5.5 et 6 SP1 sur Windows 2000 SP4 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows Server 2003 SP1 et SP2 pour Itanium ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans le traitement des adresses en MHTML.\nElle permet \u00e0 un utilisateur malveillant d\u0027acc\u00e9der ind\u00fbment \u00e0 des\ninformations.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-1448",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1448"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS08-048 du 12 ao\u00fbt 2008 :",
      "url": "http://www.microsoft.com/technet/security/Bulletin/MS08-048.mspx"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS08-048 du 12 ao\u00fbt 2008 :",
      "url": "http://www.microsoft.com/france/technet/security/Bulletin/MS08-048.mspx"
    }
  ],
  "reference": "CERTA-2008-AVI-408",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-08-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans les clients de messagerie de certains syst\u00e8mes\nWindows permet \u00e0 un utilisateur malveillant de porter atteinte \u00e0 la\nconfidentialit\u00e9 de donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Outlook Express et Windows Mail",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin Microsoft MS08-048 du 12 ao\u00fbt 2008",
      "url": null
    }
  ]
}

CERTA-2008-AVI-408

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité dans les clients de messagerie de certains systèmes Windows permet à un utilisateur malveillant de porter atteinte à la confidentialité de données.

Description

Une vulnérabilité est présente dans le traitement des adresses en MHTML. Elle permet à un utilisateur malveillant d'accéder indûment à des informations.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Windows	Windows Mail sur Windows Vista et Windows Vista x64 Edition ;
Microsoft	Windows	Outlook Express 6 Windows Server 2003 SP1 et SP2 ;
Microsoft	Windows	Windows Mail sur Windows Vista et Windows Vista x64 Edition SP1 ;
Microsoft	Windows	Windows Mail sur Windows Server 2008 pour systèmes 32 bits, x64 et Itanium.
Microsoft	Windows	Outlook Express 6 Windows XP SP2 et SP3 ;
Microsoft	Windows	Outlook Express 6 Windows XP x64 Edition avec ou sans SP2 ;
Microsoft	Windows	Outlook Express 5.5 et 6 SP1 sur Windows 2000 SP4 ;
Microsoft	Windows	Outlook Express 6 Windows Server 2003 SP1 et SP2 pour Itanium ;

References

Title

Publication Time

Tags

Bulletin Microsoft MS08-048 du 12 août 2008	None	vendor-advisory
Bulletin de sécurité Microsoft MS08-048 du 12 août 2008 :	-	other
Bulletin de sécurité Microsoft MS08-048 du 12 août 2008 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Windows Mail sur Windows Vista et Windows Vista x64 Edition ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows Server 2003 SP1 et SP2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Mail sur Windows Vista et Windows Vista x64 Edition SP1 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Windows Mail sur Windows Server 2008 pour syst\u00e8mes 32 bits, x64 et Itanium.",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows XP SP2 et SP3 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows XP x64 Edition avec ou sans SP2 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 5.5 et 6 SP1 sur Windows 2000 SP4 ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Outlook Express 6 Windows Server 2003 SP1 et SP2 pour Itanium ;",
      "product": {
        "name": "Windows",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans le traitement des adresses en MHTML.\nElle permet \u00e0 un utilisateur malveillant d\u0027acc\u00e9der ind\u00fbment \u00e0 des\ninformations.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-1448",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1448"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS08-048 du 12 ao\u00fbt 2008 :",
      "url": "http://www.microsoft.com/technet/security/Bulletin/MS08-048.mspx"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS08-048 du 12 ao\u00fbt 2008 :",
      "url": "http://www.microsoft.com/france/technet/security/Bulletin/MS08-048.mspx"
    }
  ],
  "reference": "CERTA-2008-AVI-408",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-08-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans les clients de messagerie de certains syst\u00e8mes\nWindows permet \u00e0 un utilisateur malveillant de porter atteinte \u00e0 la\nconfidentialit\u00e9 de donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Outlook Express et Windows Mail",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin Microsoft MS08-048 du 12 ao\u00fbt 2008",
      "url": null
    }
  ]
}

GHSA-8XJ3-MF49-RFMM

Vulnerability from github – Published: 2022-05-01 23:40 – Updated: 2022-05-01 23:40

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-1448"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-08-13T00:41:00Z",
    "severity": "HIGH"
  },
  "details": "The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka \"URL Parsing Cross-Domain Information Disclosure Vulnerability.\"",
  "id": "GHSA-8xj3-mf49-rfmm",
  "modified": "2022-05-01T23:40:22Z",
  "published": "2022-05-01T23:40:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1448"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=121915960406986\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31415"
    },
    {
      "type": "WEB",
      "url": "http://www.coresecurity.com/content/internet-explorer-zone-elevation"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/495458/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30585"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020679"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020680"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA08-225A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-1448 (GCVE-0-2008-1448)

FKIE_CVE-2008-1448

GSD-2008-1448

CERTA-2008-AVI-408

Description

Solution

CERTA-2008-AVI-408

Description

Solution

GHSA-8XJ3-MF49-RFMM

Tags

Sightings

Nomenclature