Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2004-1166 — Code Injection in Microsoft IE

CWE-94 — Code Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

66.1%

top 1.48%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft IE Microsoft Internet Explorer

Timeline

PublishedDec 31

Latest updateApr 29

Description

CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDmicrosoft/internet_explorer6.0

▶NVDmicrosoft/ie6.0

🔴Vulnerability Details

GHSA

GHSA-c8f8-rjv5-g482: CRLF injection vulnerability in Microsoft Internet Explorer 6↗2022-04-29

▶

CVEList

CVE-2004-1166: CRLF injection vulnerability in Microsoft Internet Explorer 6↗2004-12-10

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Internet Explorer 5.0.1 - FTP URI Arbitrary FTP Server Command Execution↗2004-12-06

▶