Cross-Zone Drag-and-Drop Vulnerability in Microsoft Internet Explorer
CVE-2011-2383

Currently unrated

Key Information:

Vendor
Microsoft
Status
Internet Explorer
Ie
Vendor
CVE Published:
3 June 2011

Summary

Microsoft's Internet Explorer 9 and earlier versions exhibit a vulnerability that fails to adequately control cross-zone drag-and-drop operations. This flaw permits user-assisted remote attackers to access cookie files through methods involving an IFRAME element that includes an HTTP URL, which redirects to a file URL. This was notably illustrated by a Facebook game and relates to an issue commonly termed 'cookiejacking.' The vulnerability arises from an incomplete resolution of a prior security issue present in Internet Explorer 9.

References

http://www.informationweek.com/news/security/vulnerabilit...
x_refsource_MISC
https://docs.microsoft.com/en-us/security-updates/securit...
vendor-advisoryx_refsource_MS
http://conference.hackinthebox.org/hitbsecconf2011ams/?pa...
x_refsource_MISC

EPSS Score

35% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.