PRIOn knowledge basePRION:CVE-2008-1448

HistoryAug 13, 2008 - 12:41 a.m.

Information disclosure

2008-08-1300:41:00

PRIOn knowledge base

www.prio-n.com

6.5 Medium

AI Score

Confidence

Low

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.948 High

EPSS

Percentile

99.2%

JSON

The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka “URL Parsing Cross-Domain Information Disclosure Vulnerability.”

CPENameOperatorVersion
outlook_expresseq6.0 sp1
outlook_expresseq5.5 sp2
outlook_expresseq6.0

Name	Operator	Version
outlook_express	eq	6.0 sp1
outlook_express	eq	5.5 sp2
outlook_express	eq	6.0

References

secunia.com/advisories/31415

www.coresecurity.com/content/internet-explorer-zone-elevation

www.securityfocus.com/archive/1/495458/100/0/threaded

www.securityfocus.com/bid/30585

www.securitytracker.com/id?1020679

www.securitytracker.com/id?1020680

www.us-cert.gov/cas/techalerts/TA08-225A.html

www.vupen.com/english/advisories/2008/2352

docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048

marc.info/?l=bugtraq&m=121915960406986&w=2

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886

6.5 Medium

AI Score

Confidence

Low

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.948 High

EPSS

Percentile

99.2%

JSON

Related for PRION:CVE-2008-1448