CVE-2008-4033: Infoleak
First published: Wed Nov 12 2008(Updated: )
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft XML Core Services | =4.0 | |
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows Server 2003 | =sp1 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2-sp1 | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft XML Core Services | =3.0 | |
| Microsoft XML Core Services | =6.0 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft XML Core Services | =5.0 | |
| Microsoft Expression Web | ||
| Microsoft Expression Web | =2 | |
| Microsoft Groove 2013 | =2007 | |
| Microsoft Office | =2003-sp3 | |
| Microsoft Office | =2007-sp1 | |
| Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint | ||
| Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint | =sp1 | |
| Microsoft Word Viewer | =2003-sp3 | |
| Microsoft SharePoint Server 2010 | =2007 | |
| Microsoft SharePoint Server 2010 | =2007-sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://securitytracker.com/id?1021164
- http://www.securityfocus.com/bid/32204
- http://www.us-cert.gov/cas/techalerts/TA08-316A.html
- http://www.vupen.com/english/advisories/2008/3111
- http://marc.info/?l=bugtraq&m=122703006921213&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5847
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069
Frequently Asked Questions
What is the severity of CVE-2008-4033?
CVE-2008-4033 has a medium severity rating due to its potential for information disclosure.
How do I fix CVE-2008-4033?
To fix CVE-2008-4033, update Microsoft XML Core Services to the latest version available.
What products are affected by CVE-2008-4033?
CVE-2008-4033 affects Microsoft XML Core Services versions 3.0, 4.0, 5.0, and 6.0 as well as Microsoft products that utilize these services.
How can CVE-2008-4033 be exploited?
CVE-2008-4033 can be exploited by remote attackers through manipulated HTTP request header fields to obtain sensitive cross-domain information.
Is my system vulnerable to CVE-2008-4033?
You might be vulnerable to CVE-2008-4033 if you are using Microsoft XML Core Services 3.0 to 6.0.
- collector/nvd-historical
- agent/type
- agent/weakness
- agent/remedy
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/microsoft
- canonical/microsoft xml core services
- version/microsoft xml core services/4.0
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft windows server 2003
- version/microsoft windows server 2003/sp1
- version/microsoft windows server 2003/sp2
- canonical/microsoft windows 7
- version/microsoft windows 7/sp1
- canonical/microsoft windows server
- version/microsoft windows server/sp2
- version/microsoft windows server/r2
- version/microsoft windows server/r2-sp1
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1
- version/microsoft windows vista/sp2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3
- version/microsoft xml core services/3.0
- version/microsoft xml core services/6.0
- version/microsoft xml core services/5.0
- canonical/microsoft expression web
- version/microsoft expression web/2
- canonical/microsoft groove 2013
- version/microsoft groove 2013/2007
- canonical/microsoft office
- version/microsoft office/2003-sp3
- version/microsoft office/2007-sp1
- canonical/microsoft office compatibility pack for word, excel, and powerpoint
- version/microsoft office compatibility pack for word, excel, and powerpoint/sp1
- canonical/microsoft word viewer
- version/microsoft word viewer/2003-sp3
- canonical/microsoft sharepoint server 2010
- version/microsoft sharepoint server 2010/2007
- version/microsoft sharepoint server 2010/2007-sp1