Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2949Improper Access Control in Microsoft Internet Explorer

CWE-284Improper Access Control5 documents3 sources
Severity
6.8MEDIUMNVD
EPSS
40.4%
top 2.64%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Internet Explorer
Timeline
PublishedJun 30
Latest updateMay 1

Description

Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to change the location property of a frame via the String data type, and use a frame from a different domain to observe domain-independent events, as demonstrated by observing onkeydown events with caballero-listener. NOTE: according to Microsoft, this is a duplicate of CVE-2008-2947, possibly a different attack vector.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDmicrosoft/internet_explorer5.01, 6, 7+2

🔴Vulnerability Details

2
GHSA
GHSA-97qf-jfmw-g24f: Cross-domain vulnerability in Microsoft Internet Explorer 6 and 7 allows remote attackers to change the location property of a frame via the String da2022-05-01
GHSA
GHSA-ww6f-jp5h-g5hq: Cross-domain vulnerability in Microsoft Internet Explorer 52022-05-01

💥Exploits & PoCs

1
Exploit-DB
Microsoft Internet Explorer 7/8 Beta 1 - Frame Location Cross Domain Security Bypass2008-06-27
CVE-2008-2949 — Improper Access Control in Microsoft | cvebase