FKIE_CVE-1999-1087

Vulnerability from fkie_nvd - Published: 1999-12-31 05:00 - Updated: 2025-04-03 01:03
Severity ?
Summary
Internet Explorer 4 treats a 32-bit number ("dotless IP address") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server.
References
cve@mitre.orghttp://support.microsoft.com/support/kb/articles/q168/6/17.aspPatch, Vendor Advisory
cve@mitre.orghttp://www.microsoft.com/Windows/Ie/security/dotless.asp
cve@mitre.orghttp://www.osvdb.org/7828
cve@mitre.orghttps://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/2209
af854a3a-2127-422b-91ae-364da2661108http://support.microsoft.com/support/kb/articles/q168/6/17.aspPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.microsoft.com/Windows/Ie/security/dotless.asp
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/7828
af854a3a-2127-422b-91ae-364da2661108https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/2209
Impacted products
Vendor Product Version
microsoft internet_explorer 4.0
microsoft internet_explorer 4.0.1
microsoft internet_explorer 4.0.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5B815D9-BC21-4A17-AF00-B8AD181027D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:internet_explorer:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "42502347-DD40-4F8C-9861-C0A88A3F8608",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:internet_explorer:4.0.1:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "0AF9C64F-9A67-4BA9-A653-75507935E6EA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Internet Explorer 4 treats a 32-bit number (\"dotless IP address\") in the a URL as the hostname instead of an IP address, which causes IE to apply Local Intranet Zone settings to the resulting web page, allowing remote malicious web servers to conduct unauthorized activities by using URLs that contain the dotless IP address for their server."
    }
  ],
  "id": "CVE-1999-1087",
  "lastModified": "2025-04-03T01:03:51.193",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "1999-12-31T05:00:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://support.microsoft.com/support/kb/articles/q168/6/17.asp"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.microsoft.com/Windows/Ie/security/dotless.asp"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/7828"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/2209"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://support.microsoft.com/support/kb/articles/q168/6/17.asp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.microsoft.com/Windows/Ie/security/dotless.asp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/7828"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-016"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/2209"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.