National Cyber Awareness System

Vulnerability Summary for CVE-2008-2947

Overview

Cross-domain vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 7 allows remote attackers to access restricted information from other domains via JavaScript that uses the Object data type for the value of a (1) location or (2) location.href property, related to incorrect determination of the origin of web script, aka "Window Location Property Cross-Domain Vulnerability." NOTE: according to Microsoft, CVE-2008-2948 and CVE-2008-2949 are duplicates of this issue, probably different attack vectors.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

US-CERT Technical Alert: TA08-288A

Name: TA08-288A

Hyperlink:http://www.us-cert.gov/cas/techalerts/TA08-288A.html

US-CERT Vulnerability Note: VU#923508

Name: VU#923508

Hyperlink:http://www.kb.cert.org/vuls/id/923508

External Source: XF

Name: win-ms08kb956390-update(45565)

Hyperlink:http://xforce.iss.net/xforce/xfdb/45565

External Source: XF

Name: ie-location-locationhref-security-bypass(43366)

Hyperlink:http://xforce.iss.net/xforce/xfdb/43366

External Source: VUPEN

Name: ADV-2008-2809

Hyperlink:http://www.vupen.com/english/advisories/2008/2809

External Source: VUPEN

Name: ADV-2008-1940

Hyperlink:http://www.vupen.com/english/advisories/2008/1940/references

External Source: SECTRACK

Name: 1020382

Hyperlink:http://www.securitytracker.com/id?1020382

External Source: BID

Name: 29960

Hyperlink:http://www.securityfocus.com/bid/29960

External Source: MISC

Name: http://www.ph4nt0m.org-a.googlepages.com/PSTZine_0x02_0x04.txt

Hyperlink:http://www.ph4nt0m.org-a.googlepages.com/PSTZine_0x02_0x04.txt

External Source: MS

Name: MS08-058

Hyperlink:http://www.microsoft.com/technet/security/Bulletin/MS08-058.mspx

External Source: SECUNIA

Name: 30857

Type: Advisory

Hyperlink:http://secunia.com/advisories/30857

External Source: OVAL

Name: oval:org.mitre.oval:def:5901

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5901

External Source: HP

Name: SSRT080143

Hyperlink:http://marc.info/?l=bugtraq&m=122479227205998&w=2

External Source: HP

Name: SSRT080143

Hyperlink:http://marc.info/?l=bugtraq&m=122479227205998&w=2

External Source: MISC

Name: http://blogs.zdnet.com/security/?p=1348

Hyperlink:http://blogs.zdnet.com/security/?p=1348

References to Check Content

Identifier:oval:org.mitre.oval:def:5901

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:5901