Vulnerability Details : CVE-2008-1448
The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability."
Vulnerability category: Information leak
Products affected by CVE-2008-1448
- cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-1448
92.85%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-1448
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:C/I:N/A:N |
8.6
|
6.9
|
NIST |
CWE ids for CVE-2008-1448
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-1448
-
http://www.securitytracker.com/id?1020679
-
http://marc.info/?l=bugtraq&m=121915960406986&w=2
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886
-
http://www.coresecurity.com/content/internet-explorer-zone-elevation
-
http://www.securitytracker.com/id?1020680
-
http://www.vupen.com/english/advisories/2008/2352
Vendor Advisory
-
http://www.securityfocus.com/archive/1/495458/100/0/threaded
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048
-
http://www.securityfocus.com/bid/30585
Patch
-
http://www.us-cert.gov/cas/techalerts/TA08-225A.html
US Government Resource
Jump to