CVE-2011-2011 — Sensitive Information Exposure in Microsoft Windows Server 2008

CWE-399 CWE-200 — Sensitive Information Exposure CWE-79 — Cross-site Scripting CWE-20 — Improper Input Validation52 documents8 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 34.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qooxdoo Microsoft Windows Server 2008

Timeline

PublishedOct 12

Latest updateMay 17

Description

Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, aka "Win32k Use After Free Vulnerability."

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages2 packages

▶NVDmicrosoft/windowsr2

▶npmqooxdoo/qooxdoo1.3

🔴Vulnerability Details

GHSA

QooxDoo XSS in Callback Parameter↗2022-05-17

▶

GHSA

Improper Input Validation in Jetty↗2022-05-14

▶

GHSA

GHSA-8xc3-g2x5-wjx3: Use-after-free vulnerability in win32k↗2022-05-13

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Terminal Services - Use-After-Free (MS12-020)↗2012-03-16

▶

Exploit-DB

aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution↗2011-11-05

▶

Exploit-DB

Joomla! Component HM Community - Multiple Vulnerabilities↗2011-10-31

▶

Exploit-DB

Chyrp 2.x - '/includes/JavaScript.php?action' Cross-Site Scripting↗2011-07-13

▶

Exploit-DB

ZipItFast 3.0 - '.zip' Heap Overflow↗2011-07-08

▶

📋Vendor Advisories

Red Hat

Mozilla: Possible XSS via HTTP 0.9 errors and content-sniffing↗2011-11-09

▶

Red Hat

BSD compress LZW decoder buffer overflow↗2011-08-10

▶

Red Hat

kernel: net: improve sequence number generation↗2011-08-07

▶

Cisco

Cisco RVS4000 and WRVS4400N Gigabit Security Routers Firmware SSL Key Disclosure Vulnerability↗2011-05-25

▶

Red Hat

kernel: DoS (crash) due slab corruption in inotify_init1 (incomplete fix for CVE-2010-4250)↗2011-04-05

▶

💬Community

Bugzilla

CVE-2011-4601 pidgin (libpurple): Invalid UTF-8 string handling in OSCAR messages↗2011-12-08

▶

Bugzilla

CVE-2011-4349 colord: Multiple SQL injection flaws in database routines processing color device mappings and devices↗2011-11-25

▶

Bugzilla

CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003)↗2011-11-01

▶

Bugzilla

CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012)↗2011-10-12

▶

Bugzilla

CVE-2011-2895 libXfont: LZW decompression heap corruption / infinite loop [fedora-all]↗2011-08-11

▶