Argument Injection Vulnerability in Microsoft Internet Explorer Affecting Windows Systems
CVE-2007-3924

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Explorer; Navigator
Vendor: CVE Published:; 21 July 2007

Summary

An argument injection vulnerability exists in Microsoft Internet Explorer that affects systems where Netscape is installed. This flaw enables remote attackers to exploit cross-browser scripting attacks by manipulating shell metacharacters within a -chrome argument to the navigatorurl URI. When invoked, these commands are inserted into the execution command line for netscape.exe, creating a risk of arbitrary command execution. There remains some contention regarding whether the vulnerability primarily resides within Internet Explorer or Netscape, though it is generally acknowledged that Internet Explorer fails to adequately delimit the URL argument when calling Netscape, highlighting potential risks with other protocol handlers.

References

http://sla.ckers.org/forum/read.php?3%2C13732%2C13739

x_refsource_MISC

http://secunia.com/advisories/26082

third-party-advisoryx_refsource_SECUNIA

EPSS Score

7% chance of being exploited in the next 30 days.

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jul 21, 2007