9.3

CVE-2008-2540

EPSS 46.4%
Veröffentlicht 03.06.2008 15:32:00
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 24

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apple ≫ Safari Version < 3.1.2

   Microsoft ≫ Internet Explorer Version7
   Microsoft ≫ Windows Server 2003
   Microsoft ≫ Windows Server 2008
   Microsoft ≫ Windows Vista Version-
   Microsoft ≫ Windows Xp Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	46.4%	0.976

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

http://www.us-cert.gov/cas/techalerts/TA09-104A.html

Third Party Advisory

US Government Resource

http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html

Vendor Advisory

Mailing List

http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx

Third Party Advisory

http://blogs.zdnet.com/security/?p=1230

Third Party Advisory

http://secunia.com/advisories/30467

Third Party Advisory

http://securitytracker.com/id?1020150

Third Party Advisory

VDB Entry

http://support.avaya.com/elmodocs2/security/ASA-2009-133.htm

Third Party Advisory

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=871138

Third Party Advisory

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

Broken Link

http://www.microsoft.com/technet/security/advisory/953818.mspx

Patch

Vendor Advisory

Mitigation

http://www.securityfocus.com/bid/29445

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id?1022047

Third Party Advisory

VDB Entry

http://www.vupen.com/english/advisories/2008/1706

Broken Link

http://www.vupen.com/english/advisories/2009/1028

Broken Link

http://www.vupen.com/english/advisories/2009/1029

Broken Link

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-014

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-015

https://exchange.xforce.ibmcloud.com/vulnerabilities/42765

Third Party Advisory

VDB Entry

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5782

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6108

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8509

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2008-2540

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2008-2540

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2008-2540

EUVD