CVE-2011-2019Untrusted Search Path in Microsoft Internet Explorer

CWE-426Untrusted Search PathCWE-79Cross-site Scripting12 documents7 sources
Severity
9.3CRITICALNVD
EPSS
26.6%
top 3.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Microsoft Internet ExplorerDrupal
Timeline
PublishedDec 14
Latest updateOct 17

Description

Untrusted search path vulnerability in Microsoft Internet Explorer 9 on Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains an HTML file, aka "Internet Explorer Insecure Library Loading Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

drupaldrupal/drupal

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

1
GHSA
GHSA-qqfg-frwj-847v: Untrusted search path vulnerability in Microsoft Internet Explorer 9 on Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows local user2022-05-13

💥Exploits & PoCs

1
Exploit-DB
ktsuss 1.4 - suid Privilege Escalation (Metasploit)2019-09-03

📋Vendor Advisories

5
Drupal
Various Third-Party Vulnerabilities - PSA-2019-09-042019-09-04
Red Hat
struts: improper access restrictions to collections such as session and request2011-12-21
Red Hat
struts: Multiple XSS flaws in component handlers in javatemplates plug-in2011-03-23
Red Hat
struts: Multiple XSS flaws in XWork2011-02-22
Red Hat
struts: Allows remote attackers to obtain potentially sensitive information via vectors involving an s:submit element2011-02-22

🕵️Threat Intelligence

1
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 1

💬Community

3
Bugzilla
CVE-2019-25076 openvswitch: DoS via crafted packet2022-10-17
Bugzilla
CVE-2011-2715 drupal: SQL injection due to insufficient sanitization of table names or column names2020-02-06
Bugzilla
CVE-2011-2714 drupal: XSS due to insufficient sanitization of table descriptions, field names, or labels before display2020-01-28
CVE-2011-2019 — Untrusted Search Path in Microsoft | cvebase