CVE-2015-0072
published 2015-02-07CVE-2015-0072: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject…
PriorityP269medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.70%
99.3th percentile
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ie_uxss_injection.rb↗
- →Exploit requires target page to be embeddable in an IFRAME (no X-Frame-Options header). Detect exploitation attempts by monitoring for cross-origin IFRAME chains where a first IFRAME triggers a redirect and a second IFRAME does not, followed by eval of a WindowProxy object. ↗
- →Cookie theft is the default payload of the Metasploit exploit module for this CVE. Monitor for unexpected cross-domain cookie exfiltration from IE 10/11 sessions. ↗
- →Attacker-controlled JavaScript can be injected via the CUSTOMJS option in the Metasploit module. Monitor for unexpected script execution in cross-origin IFRAME contexts in IE 10/11. ↗
- ·The exploit will fail if the target URI enforces X-Frame-Options, as the attack requires the target to be embeddable in an IFRAME. ↗
- ·If the attacker is behind NAT, the URIHOST option must be configured correctly in the Metasploit module for the exploit to function. ↗
- ·This vulnerability affects Internet Explorer 9 through 11 (NVD) but the Metasploit module specifically targets IE 10 and 11. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w5f7-x6mf-vc7q: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inje
ghsa_unreviewed·2022-05-14
CVE-2015-0072 [MEDIUM] CWE-79 GHSA-w5f7-x6mf-vc7q: Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inje
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
VulnCheck
Microsoft Internet Explorer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2015·CVSS 4.3
CVE-2015-0072 [MEDIUM] Microsoft Internet Explorer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Microsoft Internet Explorer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018; https://d
No detection rules found.
Talos
Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
blogs_talos·2015-03-10·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
## Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.
## Bulletins Rated Critical MS15-018, MS15-019, MS15-020, MS15-021, and MS15-022 are rated Critical.
MS15-018 addresses multiple vulnerabilities within Internet Explor
Talos
Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
blogs_talos·2015-03-10·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.
### Bulletins Rated CriticalMS15-018, MS15-019, MS15-020, MS15-021, and MS15-022 are rated Critical.
MS15-018 addresses multiple vulnerabilities within Internet Explorer, versions 6 through 11. 12 CVEs were resolved this month, including CVE-2015-0
Zscaler
Zscaler found Multiple Security Vulnerabilities | 03-10-2015
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 03-10-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
HackerOne
HackerOne is still prone to Internet Explorer UXSS
hackerone·2017-04-19
HackerOne is still prone to Internet Explorer UXSS
HackerOne is still prone to Internet Explorer UXSS
Hi, I have managed to leverage CVE 2015-0072, so that the attack will work with any framed resource protected by `X-Frame-Options: DENY` header.
According to #103787, only https://hackerone.com/cdn-cgi/trace was unprotected and now its already fixed. In my PoC I used several X-Frame-Options protected resources of HackerOne and the attack was executed successfully.
Proof Of Concept
1. exploit.php
I added alert() message after executing the payload (read content of current_user.json) because responseText wasn't readable as steadyState stick at 1 and status at 0
```
" style="">
" style="">
top[0].eval('_=top[1];xhttp=new XMLHttpRequest();xhttp.open("get","delay.php?",false);xhttp.send(); _.location="javascript:http=new XMLHttpRequest();
Bugzilla
CVE-2015-7975 ntp: nextvar() missing length check in ntpq
bugzilla·2016-01-20·CVSS 6.2
CVE-2015-7975 [MEDIUM] CVE-2015-7975 ntp: nextvar() missing length check in ntpq
CVE-2015-7975 ntp: nextvar() missing length check in ntpq
It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer.
A remote attacker could potentially use this flaw to crash an ntpq client instance.
Upstream patch:
https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5
Discussion:
External References:
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0072/
---
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1300277]
---
Statement:
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the affected code, which w
http://community.websense.com/blogs/securitylabs/archive/2015/02/05/another-day-another-zero-day-internet-explorer-s-turn-cve-2015-0072.aspxhttp://innerht.ml/blog/ie-uxss.htmlhttp://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.htmlhttp://seclists.org/fulldisclosure/2015/Feb/0http://secunia.com/advisories/62658http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.htmlhttp://www.securityfocus.com/archive/1/534662/100/0/threadedhttp://www.securityfocus.com/bid/72489http://www.securitytracker.com/id/1031888https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018https://exchange.xforce.ibmcloud.com/vulnerabilities/100606https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/http://community.websense.com/blogs/securitylabs/archive/2015/02/05/another-day-another-zero-day-internet-explorer-s-turn-cve-2015-0072.aspxhttp://innerht.ml/blog/ie-uxss.htmlhttp://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.htmlhttp://seclists.org/fulldisclosure/2015/Feb/0http://secunia.com/advisories/62658http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.htmlhttp://www.securityfocus.com/archive/1/534662/100/0/threadedhttp://www.securityfocus.com/bid/72489http://www.securitytracker.com/id/1031888https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018https://exchange.xforce.ibmcloud.com/vulnerabilities/100606https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/
2015-02-07
Published
Exploited in the wild