CVE-2001-0154 (GCVE-0-2001-0154)
Vulnerability from cvelistv5
Published
2001-05-07 04:00
Modified
2024-08-08 04:06
Severity ?
CWE
  • n/a
Summary
HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.
References
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-08T04:06:55.428Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "CA-2001-06",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.cert.org/advisories/CA-2001-06.html"
          },
          {
            "name": "MS01-020",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"
          },
          {
            "name": "2524",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/2524"
          },
          {
            "name": "1001197",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1001197"
          },
          {
            "name": "ie-mime-execute-code(6306)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"
          },
          {
            "name": "L-066",
            "tags": [
              "third-party-advisory",
              "government-resource",
              "x_refsource_CIAC",
              "x_transferred"
            ],
            "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"
          },
          {
            "name": "oval:org.mitre.oval:def:141",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"
          },
          {
            "name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=98596775905044\u0026w=2"
          },
          {
            "name": "7806",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/7806"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2001-03-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2004-09-02T09:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "CA-2001-06",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.cert.org/advisories/CA-2001-06.html"
        },
        {
          "name": "MS01-020",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"
        },
        {
          "name": "2524",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/2524"
        },
        {
          "name": "1001197",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1001197"
        },
        {
          "name": "ie-mime-execute-code(6306)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"
        },
        {
          "name": "L-066",
          "tags": [
            "third-party-advisory",
            "government-resource",
            "x_refsource_CIAC"
          ],
          "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"
        },
        {
          "name": "oval:org.mitre.oval:def:141",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"
        },
        {
          "name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=98596775905044\u0026w=2"
        },
        {
          "name": "7806",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/7806"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2001-0154",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "CA-2001-06",
              "refsource": "CERT",
              "url": "http://www.cert.org/advisories/CA-2001-06.html"
            },
            {
              "name": "MS01-020",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"
            },
            {
              "name": "2524",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/2524"
            },
            {
              "name": "1001197",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1001197"
            },
            {
              "name": "ie-mime-execute-code(6306)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"
            },
            {
              "name": "L-066",
              "refsource": "CIAC",
              "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"
            },
            {
              "name": "oval:org.mitre.oval:def:141",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"
            },
            {
              "name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment",
              "refsource": "BUGTRAQ",
              "url": "http://marc.info/?l=bugtraq\u0026m=98596775905044\u0026w=2"
            },
            {
              "name": "7806",
              "refsource": "OSVDB",
              "url": "http://www.osvdb.org/7806"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2001-0154",
    "datePublished": "2001-05-07T04:00:00",
    "dateReserved": "2001-02-10T00:00:00",
    "dateUpdated": "2024-08-08T04:06:55.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2001-0154\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2001-05-03T04:00:00.000\",\"lastModified\":\"2025-04-03T01:03:51.193\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.\"},{\"lang\":\"es\",\"value\":\"Funcionalidad HTML en Internet Explorer 5.5 y anteriores, que permite al atacante la ejecuci\u00f3n de un archivo adjunto. Se consigue gracias al env\u00edo de cabeceras MIME inv\u00e1lidas para el adjunto que le permiten disfrazarse como un tipo de archivo no ejecutable. \\r\\n\\r\\nEl correo electr\u00f3nico v\u00eda HTML  se representa en p\u00e1ginas web que el explorador es capaz de interpretar. Cuando el correo contiene ficheros adjuntos el Explorador tambi\u00e9n es capaz de abrir la aplicaci\u00f3n asociada a los ficheros binarios adjuntos cuyo tipo (extensi\u00f3n de archivo) est\u00e1 definido en las cabeceras MIME. \\r\\n\\r\\nSin embargo, existe un defecto en el tipo de tratamiento que es especificado para ciertos tipos MIME sin identificar. Si un atacante crea un correo HTML conteniendo un  fichero adjunto ejecutable y le sustituye la informaci\u00f3n de cabecera MIME por otra, que contiene un tipo de archivo MIME reconocido, provocar\u00eda  la ejecuci\u00f3n autom\u00e1tica del adjunto.\\r\\n\\r\\nUn atacante podr\u00eda usar esta vulnerabilidad en cualquiera de estos dos escenarios.\\r\\n\\r\\nEl atacante pod\u00edra generar un correo electr\u00f3nico HTML infectado sobre un sitio web \u00fd despues intentar convencer a otro usuario para que los visite. El fichero adjunto ser\u00eda ejecutado autom\u00e1ticamente simplemente por visualizar la p\u00e1gina que muestra la lista de mensajes.\\r\\n\\r\\nEn el otro supuesto, el atacante conseguir\u00eda su objetivo envi\u00e1ndo directamente el correo HTML a la direcci\u00f3n del ususario que desea infectar.\\r\\n\\r\\nEn ambos supuestos la ejecuci\u00f3n del adjunto est\u00e1 limitada a los privilegios de sistema que tenga establecidos el ususario.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":true,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.5\",\"matchCriteriaId\":\"7BDFCFCB-6E90-4F29-9852-A3099DF05843\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:5.01:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6219D36E-9E2C-4DC7-8FD5-FAD144A333F6\"}]}]}],\"references\":[{\"url\":\"http://marc.info/?l=bugtraq\u0026m=98596775905044\u0026w=2\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securitytracker.com/id?1001197\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.cert.org/advisories/CA-2001-06.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.ciac.org/ciac/bulletins/l-066.shtml\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.osvdb.org/7806\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/2524\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/6306\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=98596775905044\u0026w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securitytracker.com/id?1001197\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.cert.org/advisories/CA-2001-06.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.ciac.org/ciac/bulletins/l-066.shtml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/7806\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/2524\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/6306\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.