ID CVE-2003-0814
Summary Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:ie:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.0.1:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.0.1:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 12-10-2018 - 21:33)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2014-02-24T04:03:15.131-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:335
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v5.01,SP2 ExecCommand Cross Domain Zone Restriction Bypass
    version 67
  • accepted 2014-02-24T04:03:15.395-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:341
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v5.01,SP3 ExecCommand Cross Domain Zone Restriction Bypass
    version 67
  • accepted 2014-02-24T04:03:15.460-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:342
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v5.01,SP4 ExecCommand Cross Domain Zone Restriction Bypass
    version 67
  • accepted 2014-02-24T04:03:15.531-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:343
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v5.5,SP2 ExecCommand Cross Domain Zone Restriction Bypass
    version 66
  • accepted 2014-02-24T04:03:15.587-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:344
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v6.0,SP1 ExecCommand Cross Domain Zone Restriction Bypass
    version 67
  • accepted 2014-02-24T04:03:15.657-05:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Harvey Rubinovitz
      organization The MITRE Corporation
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:349
    status accepted
    submitted 2003-11-12T12:00:00.000-04:00
    title IE v6.0,SP1 (Server 2003) ExecCommand Cross Domain Zone Restriction Bypass
    version 68
  • accepted 2014-02-24T04:03:17.425-05:00
    class vulnerability
    contributors
    • name Tiffany Bergeron
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Maria Mikhno
      organization ALTX-SOFT
    description Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability.
    family windows
    id oval:org.mitre.oval:def:392
    status accepted
    submitted 2003-11-12T05:00:00.000-04:00
    title IE v6.0 (XP) ExecCommand Cross Domain Zone Restriction Bypass
    version 67
refmap via4
bugtraq
  • 20030910 MSIE->BodyRefreshLoadsJPU:refresh is a new navigation method
  • 20030911 LiuDieYu's missing files are here.
cert-vn VU#326412
misc http://www.safecenter.net/liudieyu/BodyRefreshLoadsJPU/BodyRefreshLoadsJPU-Content.htm
sectrack 1007687
secunia 10192
Last major update 12-10-2018 - 21:33
Published 03-02-2004 - 05:00
Last modified 12-10-2018 - 21:33
Back to Top