Cross-Domain Vulnerability in Microsoft XML Core Services Affects Multiple Products
CVE-2008-4033

Currently unrated

Key Information:

Vendor: Microsoft
Status: Xml Core Services
Vendor: CVE Published:; 12 November 2008

Summary

This vulnerability exists in Microsoft XML Core Services versions 3.0 through 6.0, as utilized across various Microsoft products including Expression Web, Office applications, and Internet Explorer. It allows remote attackers to leverage HTTP request header fields—specifically the Transfer-Encoding field—to gain unauthorized access to sensitive information from another domain and potentially manipulate the session state. This breach could expose users to further attacks by compromising the integrity of their sessions across different domains.

References

http://marc.info/?l=bugtraq&m=122703006921213&w=2

vendor-advisoryx_refsource_HP

https://oval.cisecurity.org/repository/search/definition/...

vdb-entrysignaturex_refsource_OVAL

http://www.us-cert.gov/cas/techalerts/TA08-316A.html

third-party-advisoryx_refsource_CERT

EPSS Score

58% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Nov 12, 2008
Vulnerability Reserved
Sep 10, 2008