CVE-2008-4033

Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*
OR cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*
OR cpe:2.3:a:microsoft:expression_web:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:expression_web:2:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:groove:2007:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack:*:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_word_viewer:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2007:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2007:sp1:*:*:*:*:*:*

History

21 Nov 2024, 00:50

Type Values Removed Values Added
References () http://marc.info/?l=bugtraq&m=122703006921213&w=2 - () http://marc.info/?l=bugtraq&m=122703006921213&w=2 -
References () http://securitytracker.com/id?1021164 - () http://securitytracker.com/id?1021164 -
References () http://www.securityfocus.com/bid/32204 - Patch () http://www.securityfocus.com/bid/32204 - Patch
References () http://www.us-cert.gov/cas/techalerts/TA08-316A.html - Third Party Advisory, US Government Resource () http://www.us-cert.gov/cas/techalerts/TA08-316A.html - Third Party Advisory, US Government Resource
References () http://www.vupen.com/english/advisories/2008/3111 - () http://www.vupen.com/english/advisories/2008/3111 -
References () https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069 - () https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069 -
References () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5847 - () https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5847 -

Information

Published : 2008-11-12 23:30

Updated : 2024-11-21 00:50


NVD link : CVE-2008-4033

Mitre link : CVE-2008-4033

CVE.ORG link : CVE-2008-4033


JSON object : View

Products Affected

microsoft

  • windows_server_2008
  • windows_7
  • office_word_viewer
  • windows_2003_server
  • office_compatibility_pack
  • office
  • windows_vista
  • groove
  • expression_web
  • windows_xp
  • xml_core_services
  • windows_2000
  • sharepoint_server
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor