Vulnerability Details : CVE-2015-0072
Public exploit exists!
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-0072
- cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0072
97.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2015-0072
-
MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection
Disclosure Date: 2015-02-01First seen: 2020-04-26auxiliary/gather/ie_uxss_injectionThis module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot have X-Frame-Options or it will fail). You can also have your own custom JavaScript
CVSS scores for CVE-2015-0072
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-0072
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-0072
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100606
Microsoft Internet Explorer cross-site scripting CVE-2015-0072 Vulnerability Report
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018
Microsoft Security Bulletin MS15-018 - Critical | Microsoft Docs
-
http://www.securityfocus.com/bid/72489
Microsoft Internet Explorer Same Origin Policy Security Bypass Vulnerability
-
http://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.html
Microsoft Internet Explorer Universal XSS Proof Of Concept ≈ Packet StormExploit
-
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html
Dangerous Internet Explorer vulnerability opens door to powerful phishing attacks | PCWorld
-
http://seclists.org/fulldisclosure/2015/Feb/0
Full Disclosure: Major Internet Explorer Vulnerability - NOT Patched
-
https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/
Internet Explorer has a Cross Site Scripting zero-day bug – Naked Security
-
http://www.securitytracker.com/id/1031888
Microsoft Internet Explorer Mulitple Flaws Let Remote Users Execute Arbitrary Code - SecurityTracker
-
http://innerht.ml/blog/ie-uxss.html
503 Service Temporarily UnavailableExploit
-
http://community.websense.com/blogs/securitylabs/archive/2015/02/05/another-day-another-zero-day-internet-explorer-s-turn-cve-2015-0072.aspx
Home | Forcepoint Support
-
http://www.securityfocus.com/archive/1/534662/100/0/threaded
SecurityFocus
Jump to