CVE-2004-0121
published 2004-04-15CVE-2004-0121: Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling…
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
47.68%
98.7th percentile
Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | < 59.0.3071.86 | 59.0.3071.86 | |
| microsoft | office | — | — |
| microsoft | outlook | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
chromium-browser: possible command injection in mailto handling
vendor_redhat·2017-06-05·CVSS 7.5
CVE-2017-5078 [HIGH] chromium-browser: possible command injection in mailto handling
chromium-browser: possible command injection in mailto handling
Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac allowed a remote attacker to perform command injection via a crafted HTML page, a similar issue to CVE-2004-0121. For example, characters such as * have an incorrect interaction with xdg-email in xdg-utils, and a space character can be used in front of a command-line argument.
GHSA
GHSA-mvv4-2gfv-gwc4: Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59
ghsa_unreviewed·2022-05-13·CVSS 7.5
CVE-2017-5078 [HIGH] GHSA-mvv4-2gfv-gwc4: Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59
Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac allowed a remote attacker to perform command injection via a crafted HTML page, a similar issue to CVE-2004-0121. For example, characters such as * have an incorrect interaction with xdg-email in xdg-utils, and a space character can be used in front of a command-line argument.
GHSA
GHSA-88qv-6q9j-fhvv: Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when c
ghsa_unreviewed·2022-04-29
CVE-2004-0121 [HIGH] CWE-88 GHSA-88qv-6q9j-fhvv: Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when c
Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.
OSV
CVE-2017-5078: Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59
osv·2017-10-27·CVSS 7.5
CVE-2017-5078 [HIGH] CVE-2017-5078: Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59
Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac allowed a remote attacker to perform command injection via a crafted HTML page, a similar issue to CVE-2004-0121. For example, characters such as * have an incorrect interaction with xdg-email in xdg-utils, and a space character can be used in front of a command-line argument.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=107893704602842&w=2http://www.ciac.org/ciac/bulletins/o-096.shtmlhttp://www.idefense.com/application/poi/display?id=79&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/305206http://www.securityfocus.com/bid/9827http://www.us-cert.gov/cas/techalerts/TA04-070A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-009https://exchange.xforce.ibmcloud.com/vulnerabilities/15414https://exchange.xforce.ibmcloud.com/vulnerabilities/15429https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A843http://marc.info/?l=bugtraq&m=107893704602842&w=2http://www.ciac.org/ciac/bulletins/o-096.shtmlhttp://www.idefense.com/application/poi/display?id=79&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/305206http://www.securityfocus.com/bid/9827http://www.us-cert.gov/cas/techalerts/TA04-070A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-009https://exchange.xforce.ibmcloud.com/vulnerabilities/15414https://exchange.xforce.ibmcloud.com/vulnerabilities/15429https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A843
2004-04-15
Published