CVE-2008-3843

Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework with the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "<~/" (less-than tilde slash) sequence followed by a crafted STYLE element.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:microsoft:windows-nt:2003:gold:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2008:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:gold:media_center_2005:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:gold:tablet_pc_2005:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:gold:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:sp3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:1.0:sp3:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:microsoft:windows-nt:2003:gold:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2008:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2008:*:itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2008:*:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:vista:sp1:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:gold:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:sp3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:gold:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:microsoft:windows-nt:2003:gold:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp1:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:2003:sp2:server_x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:gold:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows-nt:xp:sp3:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:gold:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*
cpe:2.3:a:microsoft:.net_framework:2.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2008-08-27 20:41

Updated : 2024-02-04 17:33


NVD link : CVE-2008-3843

Mitre link : CVE-2008-3843

CVE.ORG link : CVE-2008-3843


JSON object : View

Products Affected

microsoft

  • windows_xp
  • .net_framework
  • windows_2000
  • windows_vista
  • windows-nt
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')