cve-2009-2064
Vulnerability from cvelistv5
Published
2009-06-15 19:00
Modified
2024-08-07 05:36
Severity ?
Summary
Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
References
cve@mitre.orghttp://research.microsoft.com/apps/pubs/default.aspx?id=79323
cve@mitre.orghttp://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
cve@mitre.orghttp://www.securityfocus.com/bid/35403
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/51186
af854a3a-2127-422b-91ae-364da2661108http://research.microsoft.com/apps/pubs/default.aspx?id=79323
af854a3a-2127-422b-91ae-364da2661108http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/35403
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/51186
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:36:20.943Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ie-https-security-bypass(51186)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51186"
          },
          {
            "name": "35403",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/35403"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-05-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site\u0027s context, by modifying an http page to include an https iframe that references a script file on an http site, related to \"HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-16T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "ie-https-security-bypass(51186)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51186"
        },
        {
          "name": "35403",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/35403"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-2064",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site\u0027s context, by modifying an http page to include an https iframe that references a script file on an http site, related to \"HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ie-https-security-bypass(51186)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51186"
            },
            {
              "name": "35403",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/35403"
            },
            {
              "name": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf",
              "refsource": "MISC",
              "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
            },
            {
              "name": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323",
              "refsource": "MISC",
              "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-2064",
    "datePublished": "2009-06-15T19:00:00",
    "dateReserved": "2009-06-15T00:00:00",
    "dateUpdated": "2024-08-07T05:36:20.943Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-2064\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-06-15T19:30:05.593\",\"lastModified\":\"2024-11-21T01:04:02.670\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site\u0027s context, by modifying an http page to include an https iframe that references a script file on an http site, related to \\\"HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.\\\"\"},{\"lang\":\"es\",\"value\":\"Microsoft Internet Explorer 8, y posiblemente otras versiones, detecta contenido http en p\u00e1ginas web https solamente en marcos de alto nivel que usan https, lo que permite a los atacantes \\\"hombre en el medio\\\" ejecutar arbitrariamente una secuencia de comandos web, en un contexto de una p\u00e1gina https, modificando una p\u00e1gina http que incluya un iframe https que referencia a un archivo de secuencia de comandos en un sitio http, relativo a p\u00e1ginas \\\"HTTP-Intended-but-HTTPS-Loadable (HPIHSL)\\\".\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:*:beta2:*:*:*:*:*:*\",\"versionEndIncluding\":\"8\",\"matchCriteriaId\":\"BFF1D247-1AF2-44C6-81D2-9C868A62BC00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4071D03-D955-4C1B-ACD8-A864F7D0FA02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3F2A51E-2675-4993-B9C2-F2D176A92857\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"693D3C1C-E3E4-49DB-9A13-44ADDFF82507\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:6:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D47247A3-7CD7-4D67-9D9B-A94A504DA1BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:6:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"59159262-BA89-46B9-B16F-0CC6A5502C58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A33FA7F-BB2A-4C66-B608-72997A2BD1DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:7.0.5730:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3B85C32-02F5-43F5-8BBB-5A240F99BAA9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A52E757F-9B41-43B4-9D67-3FEDACA71283\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:8:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"06E95EE4-23D8-40F7-9DFF-6C835AB62AE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:internet_explorer:8.0b:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"21CCF994-2F4D-44FE-89F7-0F92734D5AF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AC33FCB-8A30-497E-8369-D6A0A30EEB23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F51C049-0E1B-42DE-898D-E18B350EE7D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5354582-A1D1-46CB-A05A-A086820C1013\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8075385C-29C6-4E2D-938A-CD1444892609\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3168D511-6FFD-40D0-B46B-352C6A1CF34C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:2002:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"87D57619-255D-46DD-9C32-E4B7F5F3689A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:pocket_ie:2003:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6284FCA-2362-42A2-A9FE-E6E385191E4D\"}]}]}],\"references\":[{\"url\":\"http://research.microsoft.com/apps/pubs/default.aspx?id=79323\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/35403\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/51186\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://research.microsoft.com/apps/pubs/default.aspx?id=79323\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/35403\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/51186\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.