ID CVE-2006-3280
Summary Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 18-10-2018 - 16:46)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2015-08-03T04:02:05.904-04:00
class vulnerability
contributors
  • name Robert L. Hollis
    organization ThreatGuard, Inc.
  • name Matthew Wojcik
    organization The MITRE Corporation
  • name Preeti Subramanian
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows Server 2003 (x86) Gold is installed
    oval oval:org.mitre.oval:def:165
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP SP1 (64-bit) is installed
    oval oval:org.mitre.oval:def:480
  • comment Microsoft Windows Server 2003 SP1 (x86) is installed
    oval oval:org.mitre.oval:def:565
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows XP SP2 or later is installed
    oval oval:org.mitre.oval:def:521
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows 2000 SP4 or later is installed
    oval oval:org.mitre.oval:def:229
  • comment Microsoft Windows XP SP1 (32-bit) is installed
    oval oval:org.mitre.oval:def:1
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows 2000 SP4 or later is installed
    oval oval:org.mitre.oval:def:229
  • comment Microsoft Internet Explorer 5.01 SP4 is installed
    oval oval:org.mitre.oval:def:325
description Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability."
family windows
id oval:org.mitre.oval:def:738
status accepted
submitted 2006-08-11T12:53:40
title Redirect Cross-Domain Information Disclosure Vulnerability
version 81
refmap via4
bid 18682
bugtraq
  • 20060630 Browser bugs hit IE, Firefox today (SANS)
  • 20060630 ISC: Firefox immune to outerHTML flaw in MSIE [Was: Browser bugs hit IE, Firefox]
  • 20060630 RE: [Full-disclosure] Browser bugs hit IE, Firefox today (SANS)
  • 20060630 Re: Browser bugs hit IE, Firefox today (SANS)
  • 20060630 Re: [Full-disclosure] Browser bugs hit IE, Firefox today (SANS)
  • 20060704 Re: Browser bugs hit IE, Firefox today (SANS)
cert TA06-220A
cert-vn VU#883108
fulldisc 20060627 IE_ONE_MINOR_ONE_MAJOR
misc
sectrack 1016388
secunia
  • 20825
  • 21396
vupen
  • ADV-2006-2553
  • ADV-2006-3212
xf ie-redirection-information-disclosure(27452)
Last major update 18-10-2018 - 16:46
Published 28-06-2006 - 22:05
Last modified 18-10-2018 - 16:46
Back to Top