CVE-2011-2383

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Explorer; Ie
Vendor: CVE Published:; 3 June 2011

Summary

Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

References

http://www.informationweek.com/news/security/vulnerabilit...

x_refsource_MISC

https://docs.microsoft.com/en-us/security-updates/securit...

vendor-advisoryx_refsource_MS

http://conference.hackinthebox.org/hitbsecconf2011ams/?pa...

x_refsource_MISC

EPSS Score

2% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 3, 2011
Vulnerability Reserved
Jun 3, 2011

Collectors

NVD DatabaseMitre Database