Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass

admin
admin
admin
0
文章
0
评论
2023-12-09 07:38:06 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass

CVE编号

CVE-2010-3324

利用情况

暂无

补丁情况

N/A

披露时间

2010-09-18
漏洞描述
The toStaticHTML function in Microsoft Internet Explorer 8, and the SafeHTML function in Microsoft Windows SharePoint Services 3.0 SP2, SharePoint Foundation 2010, Office SharePoint Server 2007 SP2, Groove Server 2010, and Office Web Apps, allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and conduct XSS attacks via a crafted use of the Cascading Style Sheets (CSS) @import rule, aka "HTML Sanitization Vulnerability," a different vulnerability than CVE-2010-1257.
解决建议
用户可参考如下供应商提供的补丁信息:Microsoft SharePoint Server 2007 SP2Microsoft office2007-kb2345212-fullfile-x86-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=aee3f2de-ccf3 -4d32-b468-eede4e8afcd4Microsoft SharePoint Services 3.0 SP2Microsoft wss-kb2345304-fullfile-x86-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=12fd97a9-6fb8 -4b65-a497-a56587f114e1Microsoft SharePoint Services 64-bit 3.0 SP2Microsoft wss-kb2345304-fullfile-x64-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=58d1e91d-a037 -485d-a6d9-80fbf403b108Microsoft Internet Explorer 8Microsoft IE8-WindowsServer2003.WindowsXP-KB2360131-x64-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=05413f6c-b4be -4892-b4b3-c54dd01fd95dMicrosoft Windows6.1-KB2360131-x64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=ffe364ee-e2ae -466c-b727-14b1a976a860Microsoft Windows6.1-KB2360131-x86.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=6595770f-e580 -4613-a83a-3b8ee4cc30f1Microsoft IE8-Windows6.0-KB2360131-x86.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=191c8388-f1ef -45b6-9f07-d5654a973abeMicrosoft IE8-Windows6.0-KB2360131-x64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=adeb3036-62fa -4a29-b82f-ff4a50c05996Microsoft Windows6.1-KB2360131-ia64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=bbaa9f46-8fc7 -4c44-b38c-dc3d5210f63dMicrosoft IE8-WindowsXP-KB2360131-x86-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=93580299-d764 -417f-a7fa-ee441fea2bb3Microsoft IE8-WindowsServer2003-KB2360131-x86-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=9af37f62-5585 -4ff5-9dd3-3fa0b148ae08Microsoft SharePoint Server 2007 x64 SP2Microsoft office2007-kb2345212-fullfile-x64-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=e5e60751-242a -4fdb-9852-6d94050d3d0e
参考链接
http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0179.html
http://support.avaya.com/css/P8/documents/100113324
http://www.us-cert.gov/cas/techalerts/TA10-285A.html
http://www.wooyun.org/bug.php?action=view&id=189
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-071
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-072
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 microsoft groove_server 2010 -
运行在以下环境
应用 microsoft ie 8 -
运行在以下环境
应用 microsoft sharepoint_foundation 2010 -
运行在以下环境
应用 microsoft sharepoint_server 2007 -
运行在以下环境
应用 microsoft sharepoint_services 3.0 -
运行在以下环境
应用 microsoft web_apps * -
CVSS3评分 4.3
  • 攻击路径 网络
  • 攻击复杂度 N/A
  • 权限要求 无
  • 影响范围 N/A
  • 用户交互 需要
  • 可用性 无
  • 保密性 无
  • 完整性 部分地
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-ID 漏洞类型
CWE-79 在Web页面生成时对输入的转义处理不恰当(跨站脚本)
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-9120利用情况 暂无补丁情况 N/A披露时间 2024-09-23漏洞描述Use after free in Dawn
09-260 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0