ID CVE-2007-5355
Summary The Web Proxy Auto-Discovery (WPAD) feature in Microsoft Internet Explorer 6 and 7, when a primary DNS suffix with three or more components is configured, resolves an unqualified wpad hostname in a second-level domain outside this configured DNS domain, which allows remote WPAD servers to conduct man-in-the-middle (MITM) attacks.
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:64-bit:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:64-bit:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:64-bit_sp2:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:64-bit_sp2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:itanium_sp1:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:itanium_sp1:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:itanium_sp2:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:itanium_sp2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:sp2:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:sp2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:*:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:*:x64:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 23-07-2021 - 15:04)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
bid 26686
confirm http://www.microsoft.com/technet/security/advisory/945713.mspx
mskb 945713
sectrack 1019033
secunia 27901
vupen ADV-2007-4064
Last major update 23-07-2021 - 15:04
Published 05-12-2007 - 11:46
Last modified 23-07-2021 - 15:04
Back to Top