5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.38 Low
EPSS
Percentile
97.2%
The ActiveX control “scriptlet.typlib” is incorrectly marked “safe for scripting” in Internet Explorer (IE) versions 4.0 and 5.0, when it is actually unsafe for scripting.
There exists a vulnerability in the default installation of an ActiveX control named “scriptlet.typlib,” used by developers to create type libraries for Windows Script Components. This ActiveX control allows local files to be created or modified and thus is unsafe for scripting by IE. However, it is incorrectly marked “safe for scripting” in IE versions 4.0 and 5.0 for Windows.
Any HTML document rendered in IE may call scriptlet.typlib and, without any warning displayed by IE, create or edit files with all permissions of the client user. Such attacks can occur when visiting unfriendly web sites, or rendering embedded HTML in email, newsgroup postings, or even server log entries.
Install the appropriate patches available at:
<http://www.microsoft.com/technet/security/bulletin/MS99-032.asp>
Disable ActiveX controls in IE.
12746
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 21, 2001 Updated: November 17, 2001
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2312746 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Michael Kelfer for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
CVE IDs: | CVE-1999-0668 |
---|---|
Severity Metric: | 1.85 Date Public: |