CVE-2008-4033: Infoleak
First published: Wed Nov 12 2008(Updated: )
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft XML Core Services | =4.0 | |
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows 2003 Server | =sp1 | |
| Microsoft Windows 2003 Server | =sp2 | |
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server 2008 | =sp2 | |
| Microsoft Windows Server 2008 | ||
| Microsoft Windows Server 2008 | =r2 | |
| Microsoft Windows Server 2008 | =r2-sp1 | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft XML Core Services | =3.0 | |
| Microsoft XML Core Services | =6.0 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft XML Core Services | =5.0 | |
| Microsoft Expression Web | ||
| Microsoft Expression Web | =2 | |
| Microsoft Groove | =2007 | |
| Microsoft Office | =2003-sp3 | |
| Microsoft Office | =2007-sp1 | |
| Microsoft Office Compatibility Pack | ||
| Microsoft Office Compatibility Pack | =sp1 | |
| Microsoft Office Word Viewer | =2003-sp3 | |
| Microsoft SharePoint Server | =2007 | |
| Microsoft SharePoint Server | =2007-sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://securitytracker.com/id?1021164
- http://www.securityfocus.com/bid/32204
- http://www.us-cert.gov/cas/techalerts/TA08-316A.html
- http://www.vupen.com/english/advisories/2008/3111
- http://marc.info/?l=bugtraq&m=122703006921213&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5847
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-069
- collector/nvd-historical
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/remedy
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/microsoft
- canonical/microsoft xml core services
- version/microsoft xml core services/4.0
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft windows 2003 server
- version/microsoft windows 2003 server/sp1
- version/microsoft windows 2003 server/sp2
- canonical/microsoft windows 7
- version/microsoft windows 7/sp1
- canonical/microsoft windows server 2008
- version/microsoft windows server 2008/sp2
- version/microsoft windows server 2008/r2
- version/microsoft windows server 2008/r2-sp1
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1
- version/microsoft windows vista/sp2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3
- version/microsoft xml core services/3.0
- version/microsoft xml core services/6.0
- version/microsoft xml core services/5.0
- canonical/microsoft expression web
- version/microsoft expression web/2
- canonical/microsoft groove
- version/microsoft groove/2007
- canonical/microsoft office
- version/microsoft office/2003-sp3
- version/microsoft office/2007-sp1
- canonical/microsoft office compatibility pack
- version/microsoft office compatibility pack/sp1
- canonical/microsoft office word viewer
- version/microsoft office word viewer/2003-sp3
- canonical/microsoft sharepoint server
- version/microsoft sharepoint server/2007
- version/microsoft sharepoint server/2007-sp1