[原文]Cross-Application Scripting (XAS) vulnerability in ICQ Client 5.04 build 2321 and earlier allows remote attackers to inject arbitrary web script from one application into another via a banner, which is processed in the My Computer zone using the Internet Explorer COM object.
[CNNVD]ICQ Client My Computer区域 Internet Explorer COM对象处理标语 跨应用程序脚本攻击(XAS)漏洞(CNNVD-200605-214)
ICQ Client 5.04 build 2321及之前版本存在跨应用程序脚本攻击(XAS)漏洞。远程攻击者可以借助在My Computer区域使用Internet Explorer COM对象处理的标语,将任意Web脚本从一个应用程序注入到另一个应用程序。
QQLan <QQlan@yandex.ru> is credited with the discovery of this vulnerability.
-
受影响的程序版本
ICQ Inc. ICQ 5.04 build 2321
ICQ Inc. ICQ 5.03
ICQ Inc. ICQ 5.02
ICQ Inc. ICQ 4.14
ICQ Inc. ICQ 4.13
-
漏洞讨论
ICQ is prone to a cross-application scripting vulnerability. This issue is a result of the application accessing content in a different and presumably higher security context than the original content.
An attacker can exploit this issue to have arbitrary attacker-supplied HTML or JavaScript executed on a victim user's computer in the 'My Computer' security zone.
-
漏洞利用
Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
-
解决方案
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.
三人行,必有我师焉。择其善者而从之,其不善者而改之。