CVE-2011-2383

Published: Jun 3, 2011Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

Affected (8)

Products: Microsoft: Ie, Internet Explorer

2 products

Internet Explorer

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Microsoft Ie	Version 9 beta
Microsoft Internet Explorer	Up to 9
Microsoft Internet Explorer	Version 3.0
Microsoft Internet Explorer	Version 4.0
Microsoft Internet Explorer	Version 5
Microsoft Internet Explorer	Version 6
Microsoft Internet Explorer	Version 7
Microsoft Internet Explorer	Version 8

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (24)

http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388

Source: cve@mitre.org

http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt

Source: cve@mitre.org

http://news.cnet.com/8301-1009_3-20066419-83.html

Source: cve@mitre.org

http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/

Source: cve@mitre.org

http://www.informationweek.com/news/security/vulnerabilities/229700031

Source: cve@mitre.org

http://www.networkworld.com/community/node/74259

Source: cve@mitre.org

http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

Source: cve@mitre.org

http://www.youtube.com/watch?v=V95CX-3JpK0

Source: cve@mitre.org

http://www.youtube.com/watch?v=VsSkcnIFCxM

Source: cve@mitre.org

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820

Source: cve@mitre.org

https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt

Source: cve@mitre.org

http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388

Source: af854a3a-2127-422b-91ae-364da2661108

http://ju12.tistory.com/attachment/cfile4.uf%40151FAB4C4DDC9E0002A6FE.ppt

Source: af854a3a-2127-422b-91ae-364da2661108

http://news.cnet.com/8301-1009_3-20066419-83.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.eweek.com/c/a/Security/IE-Flaw-Lets-Attackers-Steal-Cookies-Access-User-Accounts-402503/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.informationweek.com/news/security/vulnerabilities/229700031

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.networkworld.com/community/node/74259

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.youtube.com/watch?v=V95CX-3JpK0

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.youtube.com/watch?v=VsSkcnIFCxM

Source: af854a3a-2127-422b-91ae-364da2661108

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-057

Source: af854a3a-2127-422b-91ae-364da2661108

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12820

Source: af854a3a-2127-422b-91ae-364da2661108

https://sites.google.com/site/tentacoloviola/cookiejacking/Cookiejacking2011_final.ppt

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.