cbcvebase.
CVE-2015-0072
published 2015-02-07

CVE-2015-0072: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject…

PriorityP269medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.70%
99.3th percentile
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ie_uxss_injection.rb
  • Exploit requires target page to be embeddable in an IFRAME (no X-Frame-Options header). Detect exploitation attempts by monitoring for cross-origin IFRAME chains where a first IFRAME triggers a redirect and a second IFRAME does not, followed by eval of a WindowProxy object.
  • Cookie theft is the default payload of the Metasploit exploit module for this CVE. Monitor for unexpected cross-domain cookie exfiltration from IE 10/11 sessions.
  • Attacker-controlled JavaScript can be injected via the CUSTOMJS option in the Metasploit module. Monitor for unexpected script execution in cross-origin IFRAME contexts in IE 10/11.
  • ·The exploit will fail if the target URI enforces X-Frame-Options, as the attack requires the target to be embeddable in an IFRAME.
  • ·If the attacker is behind NAT, the URIHOST option must be configured correctly in the Metasploit module for the exploit to function.
  • ·This vulnerability affects Internet Explorer 9 through 11 (NVD) but the Metasploit module specifically targets IE 10 and 11.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.