7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.97 High
EPSS
Percentile
99.7%
Added: 11/17/2006
CVE: CVE-2006-5745
BID: 20915
OSVDB: 30208
Microsoft XML Core Services includes the XMLHTTP ActiveX control, which allows web pages to send and receive XML data.
A memory corruption vulnerability in the XMLHTTP ActiveX control allows command execution when a user loads a web page which calls the setRequestHeader method with invalid parameters.
Apply the patch referenced in Microsoft Security Bulletin 06-071.
<http://www.kb.cert.org/vuls/id/585137>
Exploit works on Internet Explorer 6 with Microsoft XML Core Services 4.0 Service Pack 2.
Successful exploitation requires a user to load the exploit page into Internet Explorer. There may be a delay before the exploit succeeds due to the large amount of memory required.
Windows