Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2003-1025 — Improper Input Validation in Microsoft Internet Explorer

CWE-20 — Improper Input Validation8 documents3 sources

Severity

5.8MEDIUMNVD

NVD4.3

EPSS

64.2%

top 1.55%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Internet Explorer

Timeline

PublishedJan 20

Latest updateMay 14

Description

Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDmicrosoft/internet_explorer6, 6.0+1

🔴Vulnerability Details

GHSA

GHSA-wjcf-x5xh-gf27: Visual truncation vulnerability in Microsoft Internet Explorer 6 allows remote attackers to spoof the address bar via a URL with a hostname containing↗2022-05-14

▶

GHSA

GHSA-crf3-j64w-gfx8: Internet Explorer 5↗2022-04-29

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows Server 2000/2003 - Recursive DNS Spoofing (2)↗2007-11-13

▶

Exploit-DB

Opera Browser 6.0 6 - URI Display Obfuscation↗2003-12-23

▶

Exploit-DB

Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)↗2003-12-09

▶

Exploit-DB

Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)↗2003-12-09

▶