CVE-2006-2303
CVSS6.4
发布时间 :2006-05-11 06:02:00
修订时间 :2011-03-07 21:35:55
NMCOS    

[原文]Cross-Application Scripting (XAS) vulnerability in ICQ Client 5.04 build 2321 and earlier allows remote attackers to inject arbitrary web script from one application into another via a banner, which is processed in the My Computer zone using the Internet Explorer COM object.


[CNNVD]ICQ Client My Computer区域 Internet Explorer COM对象处理标语 跨应用程序脚本攻击(XAS)漏洞(CNNVD-200605-214)

        ICQ Client 5.04 build 2321及之前版本存在跨应用程序脚本攻击(XAS)漏洞。远程攻击者可以借助在My Computer区域使用Internet Explorer COM对象处理的标语,将任意Web脚本从一个应用程序注入到另一个应用程序。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2303
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2303
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-214
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1765
(UNKNOWN)  VUPEN  ADV-2006-1765
http://www.securityfocus.com/archive/1/archive/1/433360/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060509 ICQ Client Cross-Application Scripting (XAS)
http://securitytracker.com/id?1016045
(UNKNOWN)  SECTRACK  1016045
http://xforce.iss.net/xforce/xfdb/26386
(UNKNOWN)  XF  icq-banner-xas(26386)
http://www.securityfocus.com/bid/17913
(UNKNOWN)  BID  17913
http://securityreason.com/securityalert/868
(UNKNOWN)  SREASON  868
http://secunia.com/advisories/20010
(UNKNOWN)  SECUNIA  20010
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045916.html
(UNKNOWN)  FULLDISC  20060509 ICQ Client Cross-Application Scripting (XAS)

- 漏洞信息

ICQ Client My Computer区域 Internet Explorer COM对象处理标语 跨应用程序脚本攻击(XAS)漏洞
中危 输入验证
2006-05-11 00:00:00 2006-05-11 00:00:00
远程  
        ICQ Client 5.04 build 2321及之前版本存在跨应用程序脚本攻击(XAS)漏洞。远程攻击者可以借助在My Computer区域使用Internet Explorer COM对象处理的标语,将任意Web脚本从一个应用程序注入到另一个应用程序。

- 公告与补丁

        暂无数据

- 漏洞信息

25432
ICQ Advertisement Banners Cross-Application Scripting

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ICQ Banner Ad Cross-Application Scripting Vulnerability
Input Validation Error 17913
Yes No
2006-05-09 12:00:00 2007-02-20 08:28:00
QQLan <QQlan@yandex.ru> is credited with the discovery of this vulnerability.

- 受影响的程序版本

ICQ Inc. ICQ 5.04 build 2321
ICQ Inc. ICQ 5.03
ICQ Inc. ICQ 5.02
ICQ Inc. ICQ 4.14
ICQ Inc. ICQ 4.13

- 漏洞讨论

ICQ is prone to a cross-application scripting vulnerability. This issue is a result of the application accessing content in a different and presumably higher security context than the original content.

An attacker can exploit this issue to have arbitrary attacker-supplied HTML or JavaScript executed on a victim user's computer in the 'My Computer' security zone.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站