ID CVE-2007-2225
Summary A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:sp1:*:itanium:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:sp1:*:itanium:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_2003_server:sp2:*:itanium:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_2003_server:sp2:*:itanium:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:*:professional_x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:*:professional_x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp2:professional_x64:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:gold:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:gold:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:gold:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:gold:x64:*:*:*:*:*
  • cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 16-10-2018 - 16:42)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
oval via4
accepted 2012-09-10T04:00:46.413-04:00
class vulnerability
contributors
  • name Sudhir Gandhe
    organization Secure Elements, Inc.
  • name Chandan S
    organization SecPod Technologies
definition_extensions
  • comment Microsoft Windows XP SP2 or later is installed
    oval oval:org.mitre.oval:def:521
  • comment Microsoft Outlook Express 6.0 for Windows XP/2003 is installed
    oval oval:org.mitre.oval:def:208
  • comment Microsoft Windows Server 2003 SP1 (x86) is installed
    oval oval:org.mitre.oval:def:565
  • comment Microsoft Outlook Express 6.0 for Windows XP/2003 is installed
    oval oval:org.mitre.oval:def:208
  • comment Microsoft Windows Server 2003 SP1 (x86) is installed
    oval oval:org.mitre.oval:def:565
  • comment Microsoft Outlook Express 6.0 for Windows XP/2003 is installed
    oval oval:org.mitre.oval:def:208
  • comment Microsoft Outlook Express 6.0 for Windows XP/2003 is installed
    oval oval:org.mitre.oval:def:208
  • comment Microsoft Windows XP x64 Edition SP2 is installed
    oval oval:org.mitre.oval:def:4193
  • comment Microsoft Windows XP SP1 (64-bit) is installed
    oval oval:org.mitre.oval:def:480
  • comment Microsoft Outlook Express 6.0 for Windows XP/2003 is installed
    oval oval:org.mitre.oval:def:208
description A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability."
family windows
id oval:org.mitre.oval:def:2045
status accepted
submitted 2007-06-13T08:22:59.000-04:00
title URL Parsing Cross Domain Information Disclosure Vulnerability
version 74
refmap via4
bid 24392
bugtraq 20070622 MS07-034: Executing arbitrary script with mhtml: protocol handler
cert TA07-163A
cert-vn VU#682825
hp
  • HPSBST02231
  • SSRT071438
misc
osvdb 35345
sectrack
  • 1018231
  • 1018232
secunia 25639
vupen ADV-2007-2154
Last major update 16-10-2018 - 16:42
Published 12-06-2007 - 20:30
Last modified 16-10-2018 - 16:42
Back to Top