vendor:
Internet Explorer
by:
milw0rm
9.3
CVSS
HIGH
Cross-Domain Scripting
79
CWE
Product Name: Internet Explorer
Affected Version From: Internet Explorer 6.0
Affected Version To: Internet Explorer 8.0
Patch Exists: YES
Related CWE: CVE-2009-0075
CPE: a:microsoft:internet_explorer
Metasploit:
N/A
Other Scripts:
https://www.infosecmatter.com/nessus-plugin-library/?id=35630, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/browser/ms09_002_memory_corruption, https://www.infosecmatter.com/nessus-plugin-library/?id=58325, https://www.infosecmatter.com/nessus-plugin-library/?id=63402, https://www.infosecmatter.com/list-of-metasploit-windows-exploits-detailed-spreadsheet/, https://www.infosecmatter.com/nessus-plugin-library/?id=108808, https://www.infosecmatter.com/nessus-plugin-library/?id=53617
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009
Microsoft Internet Explorer “onload” Event Handler Cross-Domain Scripting Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the "onload" event handler. When a page is loaded, the browser will execute any code associated with the "onload" event handler. By using a specially crafted HTML page, an attacker can cause the browser to execute arbitrary code in the context of the currently logged in user.
Mitigation:
Upgrade to the latest version of Internet Explorer.
