CVE-2014-0266
published 2014-02-12CVE-2014-0266: The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2…
PriorityP273high7.1CVSS 2.0
AVNACMAuNCCINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
19.41%
97.0th percentile
The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to bypass the Same Origin Policy via a web page that is visited in Internet Explorer, aka "MSXML Information Disclosure Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
CVSS provenance
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
vulncheck7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4f72-53xg-j632: The XMLHTTP ActiveX controls in XML Core Services 3
ghsa_unreviewed·2022-05-14
CVE-2014-0266 [HIGH] CWE-200 GHSA-4f72-53xg-j632: The XMLHTTP ActiveX controls in XML Core Services 3
The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to bypass the Same Origin Policy via a web page that is visited in Internet Explorer, aka "MSXML Information Disclosure Vulnerability."
VulnCheck
Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2014·CVSS 7.1
CVE-2014-0266 [HIGH] Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
Microsoft Windows Exposure of Sensitive Information to an Unauthorized Actor
The XMLHTTP ActiveX controls in XML Core Services 3.0 in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to bypass the Same Origin Policy via a web page that is visited in Internet Explorer, aka "MSXML Information Disclosure Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-0
No detection rules found.
No public exploits indexed.
Talos
Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
blogs_talos·2014-02-11·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin, there’s six more bulletins, 4 of which are rated critical and 3 of which are rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).
The first bulletin, MS14-010, deals with IE and is rated critical and provides fixes for 24 CVEs. As is usual, most of the vulnerabilities are the result of use-after-free vulnerabilities. Most of the vulnerabilities were reported privately to Micr
Talos
Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
blogs_talos·2014-02-11·CVSS 9.3
[CRITICAL] Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
## Microsoft Update Tuesday: February 2014, huge fix for Internet Explorer
The Microsoft Updates are pretty significant this month. Internet Explorer, which was missing from the updates for the first time in a long time last month is back with a whopping 24 vulnerabilities. Besides the IE bulletin, there’s six more bulletins, 4 of which are rated critical and 3 of which are rated important. All-in-all, this Update Tuesday provides fixes for 32 CVEs. The list of bulletins below is ordered by rating rather than number (i.e., the same ordering as used here: https://technet.microsoft.com/en-us/security/bulletin/ms14-feb).
The first bulletin, MS14-010 , deals with IE and is rated critical and provides fixes for 24 CVEs. As is usual, most of the vulnerabilities are the result of use-after-free
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-11-2014
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 02-11-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://osvdb.org/103189http://secunia.com/advisories/56771http://www.securitytracker.com/id/1029746https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-005http://osvdb.org/103189http://secunia.com/advisories/56771http://www.securitytracker.com/id/1029746https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-005
2014-02-12
Published
Exploited in the wild