CVE-2011-2382: Input Validation
First published: Fri Jun 03 2011(Updated: )
Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 beta, does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Internet Explorer | =9-beta | |
| Internet Explorer | <=8 | |
| Internet Explorer | =3.0 | |
| Internet Explorer | =3.0.1 | |
| Internet Explorer | =3.0.2 | |
| Internet Explorer | =3.1 | |
| Internet Explorer | =3.2 | |
| Internet Explorer | =4.0 | |
| Internet Explorer | =4.0.1 | |
| Internet Explorer | =4.0.1-sp1 | |
| Internet Explorer | =4.0.1-sp2 | |
| Internet Explorer | =4.01 | |
| Internet Explorer | =4.1 | |
| Internet Explorer | =4.01-sp1 | |
| Internet Explorer | =4.5 | |
| Internet Explorer | =4.40.308 | |
| Internet Explorer | =4.40.520 | |
| Internet Explorer | =4.70.1155 | |
| Internet Explorer | =4.70.1158 | |
| Internet Explorer | =4.70.1215 | |
| Internet Explorer | =4.70.1300 | |
| Internet Explorer | =4.71.544 | |
| Internet Explorer | =4.71.1008.3 | |
| Internet Explorer | =4.71.1712.6 | |
| Internet Explorer | =4.72.2106.8 | |
| Internet Explorer | =4.72.3110.8 | |
| Internet Explorer | =4.72.3612.1713 | |
| Internet Explorer | =5 | |
| Internet Explorer | =5.0 | |
| Internet Explorer | =5.0.1 | |
| Internet Explorer | =5.0.1-sp1 | |
| Internet Explorer | =5.0.1-sp2 | |
| Internet Explorer | =5.0.1-sp3 | |
| Internet Explorer | =5.0.1-sp4 | |
| Internet Explorer | =5.00.0518.10 | |
| Internet Explorer | =5.00.0910.1309 | |
| Internet Explorer | =5.00.2014.0216 | |
| Internet Explorer | =5.00.2314.1003 | |
| Internet Explorer | =5.00.2516.1900 | |
| Internet Explorer | =5.00.2614.3500 | |
| Internet Explorer | =5.00.2919.800 | |
| Internet Explorer | =5.00.2919.3800 | |
| Internet Explorer | =5.00.2919.6307 | |
| Internet Explorer | =5.00.2920.0000 | |
| Internet Explorer | =5.00.3103.1000 | |
| Internet Explorer | =5.00.3105.0106 | |
| Internet Explorer | =5.00.3314.2101 | |
| Internet Explorer | =5.00.3315.1000 | |
| Internet Explorer | =5.00.3502.1000 | |
| Internet Explorer | =5.00.3700.1000 | |
| Internet Explorer | =5.01 | |
| Internet Explorer | =5.1 | |
| Internet Explorer | =5.01-sp1 | |
| Internet Explorer | =5.01-sp2 | |
| Internet Explorer | =5.01-sp3 | |
| Internet Explorer | =5.01-sp4 | |
| Internet Explorer | =5.2.3 | |
| Internet Explorer | =5.5 | |
| Internet Explorer | =5.5-preview | |
| Internet Explorer | =5.5-sp1 | |
| Internet Explorer | =5.5-sp2 | |
| Internet Explorer | =5.50.3825.1300 | |
| Internet Explorer | =5.50.4030.2400 | |
| Internet Explorer | =5.50.4134.0100 | |
| Internet Explorer | =5.50.4134.0600 | |
| Internet Explorer | =5.50.4308.2900 | |
| Internet Explorer | =5.50.4522.1800 | |
| Internet Explorer | =5.50.4807.2300 | |
| Internet Explorer | =6 | |
| Internet Explorer | =6-sp1 | |
| Internet Explorer | =6.0 | |
| Internet Explorer | =6.00.2462.0000 | |
| Internet Explorer | =6.00.2479.0006 | |
| Internet Explorer | =6.0.2600 | |
| Internet Explorer | =6.00.2600.0000 | |
| Internet Explorer | =6.0.2800 | |
| Internet Explorer | =6.0.2800.1106 | |
| Internet Explorer | =6.00.2800.1106 | |
| Internet Explorer | =6.0.2900 | |
| Internet Explorer | =6.0.2900.2180 | |
| Internet Explorer | =6.00.2900.2180 | |
| Internet Explorer | =6.00.3663.0000 | |
| Internet Explorer | =6.00.3718.0000 | |
| Internet Explorer | =6.00.3790.0000 | |
| Internet Explorer | =6.00.3790.1830 | |
| Internet Explorer | =6.00.3790.3959 | |
| Internet Explorer | =7 | |
| Internet Explorer | =7.0 | |
| Internet Explorer | =7.0-beta | |
| Internet Explorer | =7.0-beta1 | |
| Internet Explorer | =7.0-beta2 | |
| Internet Explorer | =7.0-beta3 | |
| Internet Explorer | =7.0.5730-unknown | |
| Internet Explorer | =7.0.5730.11 | |
| Internet Explorer | =7.00.5730.1100 | |
| Internet Explorer | =7.00.6000.16386 | |
| Internet Explorer | =7.00.6000.16441 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.networkworld.com/community/node/74259
- http://www.youtube.com/watch?v=V95CX-3JpK0
- http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/
- http://ju12.tistory.com/attachment/cfile4.uf@151FAB4C4DDC9E0002A6FE.ppt
- http://www.informationweek.com/news/security/vulnerabilities/229700031
- http://news.cnet.com/8301-1009_3-20066419-83.html
- http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/
- http://www.youtube.com/watch?v=VsSkcnIFCxM
- https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt
- http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
- http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt
Frequently Asked Questions
What is the severity of CVE-2011-2382?
CVE-2011-2382 is considered a high severity vulnerability due to its potential to allow attackers to access sensitive cookie information.
How do I fix CVE-2011-2382?
To fix CVE-2011-2382, users should update to the latest version of Internet Explorer that addresses this vulnerability.
Which versions of Internet Explorer are affected by CVE-2011-2382?
CVE-2011-2382 affects Microsoft Internet Explorer 8 and earlier, as well as Internet Explorer 9 beta.
What type of attack does CVE-2011-2382 facilitate?
CVE-2011-2382 facilitates a cross-zone drag-and-drop attack that allows attackers to read cookie files under certain conditions.
Is user interaction required to exploit CVE-2011-2382?
Yes, user interaction is required to exploit CVE-2011-2382, as the attacker needs to trick the user into performing specific actions.
- agent/author
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-historical
- vendor/microsoft
- canonical/microsoft internet explorer
- version/microsoft internet explorer/9-beta
- canonical/internet explorer
- version/internet explorer/8
- version/internet explorer/3.0
- version/internet explorer/3.0.1
- version/internet explorer/3.0.2
- version/internet explorer/3.1
- version/internet explorer/3.2
- version/internet explorer/4.0
- version/internet explorer/4.0.1
- version/internet explorer/4.0.1-sp1
- version/internet explorer/4.0.1-sp2
- version/internet explorer/4.01
- version/internet explorer/4.1
- version/internet explorer/4.01-sp1
- version/internet explorer/4.5
- version/internet explorer/4.40.308
- version/internet explorer/4.40.520
- version/internet explorer/4.70.1155
- version/internet explorer/4.70.1158
- version/internet explorer/4.70.1215
- version/internet explorer/4.70.1300
- version/internet explorer/4.71.544
- version/internet explorer/4.71.1008.3
- version/internet explorer/4.71.1712.6
- version/internet explorer/4.72.2106.8
- version/internet explorer/4.72.3110.8
- version/internet explorer/4.72.3612.1713
- version/internet explorer/5
- version/internet explorer/5.0
- version/internet explorer/5.0.1
- version/internet explorer/5.0.1-sp1
- version/internet explorer/5.0.1-sp2
- version/internet explorer/5.0.1-sp3
- version/internet explorer/5.0.1-sp4
- version/internet explorer/5.00.0518.10
- version/internet explorer/5.00.0910.1309
- version/internet explorer/5.00.2014.0216
- version/internet explorer/5.00.2314.1003
- version/internet explorer/5.00.2516.1900
- version/internet explorer/5.00.2614.3500
- version/internet explorer/5.00.2919.800
- version/internet explorer/5.00.2919.3800
- version/internet explorer/5.00.2919.6307
- version/internet explorer/5.00.2920.0000
- version/internet explorer/5.00.3103.1000
- version/internet explorer/5.00.3105.0106
- version/internet explorer/5.00.3314.2101
- version/internet explorer/5.00.3315.1000
- version/internet explorer/5.00.3502.1000
- version/internet explorer/5.00.3700.1000
- version/internet explorer/5.01
- version/internet explorer/5.1
- version/internet explorer/5.01-sp1
- version/internet explorer/5.01-sp2
- version/internet explorer/5.01-sp3
- version/internet explorer/5.01-sp4
- version/internet explorer/5.2.3
- version/internet explorer/5.5
- version/internet explorer/5.5-preview
- version/internet explorer/5.5-sp1
- version/internet explorer/5.5-sp2
- version/internet explorer/5.50.3825.1300
- version/internet explorer/5.50.4030.2400
- version/internet explorer/5.50.4134.0100
- version/internet explorer/5.50.4134.0600
- version/internet explorer/5.50.4308.2900
- version/internet explorer/5.50.4522.1800
- version/internet explorer/5.50.4807.2300
- version/internet explorer/6
- version/internet explorer/6-sp1
- version/internet explorer/6.0
- version/internet explorer/6.00.2462.0000
- version/internet explorer/6.00.2479.0006
- version/internet explorer/6.0.2600
- version/internet explorer/6.00.2600.0000
- version/internet explorer/6.0.2800
- version/internet explorer/6.0.2800.1106
- version/internet explorer/6.00.2800.1106
- version/internet explorer/6.0.2900
- version/internet explorer/6.0.2900.2180
- version/internet explorer/6.00.2900.2180
- version/internet explorer/6.00.3663.0000
- version/internet explorer/6.00.3718.0000
- version/internet explorer/6.00.3790.0000
- version/internet explorer/6.00.3790.1830
- version/internet explorer/6.00.3790.3959
- version/internet explorer/7
- version/internet explorer/7.0
- version/internet explorer/7.0-beta
- version/internet explorer/7.0-beta1
- version/internet explorer/7.0-beta2
- version/internet explorer/7.0-beta3
- version/internet explorer/7.0.5730-unknown
- version/internet explorer/7.0.5730.11
- version/internet explorer/7.00.5730.1100
- version/internet explorer/7.00.6000.16386
- version/internet explorer/7.00.6000.16441