CVE-2011-2383

EPSS 34.76%
Published 03.06.2011 17:55:00
Last modified 11.04.2025 00:51:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

Affected products Warnungen 0 Metrics 2 CWE 1 References 15

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Ie Version9 Updatebeta

Microsoft ≫ Internet Explorer Version <= 9

Microsoft ≫ Internet Explorer Version3.0

Microsoft ≫ Internet Explorer Version4.0

Microsoft ≫ Internet Explorer Version5

Microsoft ≫ Internet Explorer Version6

Microsoft ≫ Internet Explorer Version7

Microsoft ≫ Internet Explorer Version8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	34.76%	0.969

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057

http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388

http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt

http://news.cnet.com/8301-1009_3-20066419-83.html

http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/

http://www.informationweek.com/news/security/vulnerabilities/229700031

http://www.networkworld.com/community/node/74259

http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

http://www.youtube.com/watch?v=V95CX-3JpK0

http://www.youtube.com/watch?v=VsSkcnIFCxM

https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820

https://nvd.nist.gov/vuln/detail/CVE-2011-2383

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2011-2383

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2011-2383

EUVD