Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2948Improper Access Control in Microsoft Internet Explorer

CWE-284Improper Access Control5 documents3 sources
Severity
6.8MEDIUMNVD
EPSS
43.9%
top 2.45%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Internet Explorer
Timeline
PublishedJun 30
Latest updateMay 1

Description

Cross-domain vulnerability in Microsoft Internet Explorer 7 and 8 allows remote attackers to change the location property of a frame via the Object data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. NOTE: according to Microsoft, this is a duplicate of CVE-2008-2947, possibly a different attack vector.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDmicrosoft/internet_explorer4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-ww6f-jp5h-g5hq: Cross-domain vulnerability in Microsoft Internet Explorer 52022-05-01
GHSA
GHSA-c5jv-q5g8-55g4: Cross-domain vulnerability in Microsoft Internet Explorer 7 and 8 allows remote attackers to change the location property of a frame via the Object da2022-05-01

💥Exploits & PoCs

1
Exploit-DB
Microsoft Internet Explorer 7/8 Beta 1 - Frame Location Cross Domain Security Bypass2008-06-27
CVE-2008-2948 — Improper Access Control in Microsoft | cvebase