CVE-2009-2064

Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://research.microsoft.com/apps/pubs/default.aspx?id=79323
http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
http://www.securityfocus.com/bid/35403
https://exchange.xforce.ibmcloud.com/vulnerabilities/51186

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microsoft:internet_explorer::beta2::::::*
	cpe:2.3:a:microsoft:internet_explorer:5:::::::*
	cpe:2.3:a:microsoft:internet_explorer:5.01:sp4::::::
	cpe:2.3:a:microsoft:internet_explorer:6:::::::*
	cpe:2.3:a:microsoft:internet_explorer:6:sp1::::::
	cpe:2.3:a:microsoft:internet_explorer:6:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:7:::::::*
	cpe:2.3:a:microsoft:internet_explorer:7.0.5730:::::::*
	cpe:2.3:a:microsoft:internet_explorer:8:::::::*
	cpe:2.3:a:microsoft:internet_explorer:8:beta1::::::
	cpe:2.3:a:microsoft:internet_explorer:8.0b:::::::*
	cpe:2.3:a:microsoft:pocket_ie:1.0:::::::*
	cpe:2.3:a:microsoft:pocket_ie:1.1:::::::*
	cpe:2.3:a:microsoft:pocket_ie:2.0:::::::*
	cpe:2.3:a:microsoft:pocket_ie:3.0:::::::*
	cpe:2.3:a:microsoft:pocket_ie:4.0:::::::*
	cpe:2.3:a:microsoft:pocket_ie:2002:::::::*
	cpe:2.3:a:microsoft:pocket_ie:2003:::::::*

History

No history.

Information

Published : 2009-06-15 19:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-2064

Mitre link : CVE-2009-2064

CVE.ORG link : CVE-2009-2064

JSON object : View

Products Affected

microsoft

internet_explorer
pocket_ie

CWE

CWE-287

Improper Authentication

{"id": "CVE-2009-2064", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-06-15T19:30:05.593", "references": [{"url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323", "source": "cve@mitre.org"}, {"url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/35403", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51186", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to \"HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.\""}, {"lang": "es", "value": "Microsoft Internet Explorer 8, y posiblemente otras versiones, detecta contenido http en p\u00e1ginas web https solamente en marcos de alto nivel que usan https, lo que permite a los atacantes \"hombre en el medio\" ejecutar arbitrariamente una secuencia de comandos web, en un contexto de una p\u00e1gina https, modificando una p\u00e1gina http que incluya un iframe https que referencia a un archivo de secuencia de comandos en un sitio http, relativo a p\u00e1ginas \"HTTP-Intended-but-HTTPS-Loadable (HPIHSL)\"."}], "lastModified": "2018-10-30T16:26:25.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:internet_explorer:*:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFF1D247-1AF2-44C6-81D2-9C868A62BC00", "versionEndIncluding": "8"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4071D03-D955-4C1B-ACD8-A864F7D0FA02"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3F2A51E-2675-4993-B9C2-F2D176A92857"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "693D3C1C-E3E4-49DB-9A13-44ADDFF82507"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D47247A3-7CD7-4D67-9D9B-A94A504DA1BE"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:6:sp2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59159262-BA89-46B9-B16F-0CC6A5502C58"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A33FA7F-BB2A-4C66-B608-72997A2BD1DB"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:7.0.5730:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3B85C32-02F5-43F5-8BBB-5A240F99BAA9"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A52E757F-9B41-43B4-9D67-3FEDACA71283"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:8:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06E95EE4-23D8-40F7-9DFF-6C835AB62AE7"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:8.0b:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21CCF994-2F4D-44FE-89F7-0F92734D5AF4"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AC33FCB-8A30-497E-8369-D6A0A30EEB23"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F51C049-0E1B-42DE-898D-E18B350EE7D0"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5354582-A1D1-46CB-A05A-A086820C1013"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8075385C-29C6-4E2D-938A-CD1444892609"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3168D511-6FFD-40D0-B46B-352C6A1CF34C"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:2002:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87D57619-255D-46DD-9C32-E4B7F5F3689A"}, {"criteria": "cpe:2.3:a:microsoft:pocket_ie:2003:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6284FCA-2362-42A2-A9FE-E6E385191E4D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}