CVE-2017-0154

Published: Mar 17, 2017Modified: May 13, 2026

4.4

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploitability: 1.8 / Impact: 2.5

Source: NVD

Description

Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windows Server 2016 does not enforce cross-domain policies, allowing attackers to access information from one domain and inject it into another via a crafted application, aka, "Internet Explorer Elevation of Privilege Vulnerability."

Affected (1)

Products: Microsoft: Internet Explorer

1 product

Internet Explorer

Configuration A

1 vulnerable · 4 platform

Vulnerable Software	Affected Versions
Microsoft Internet Explorer	Version 11

Running on/with	Platform Versions
Microsoft Windows 10	All versions
Microsoft Windows 10	Version 1511
Microsoft Windows 10	Version 1607
Microsoft Windows Server 2016	All versions

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (6)

http://www.securityfocus.com/bid/96766

Source: secure@microsoft.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038008

Source: secure@microsoft.com

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0154

Source: secure@microsoft.com

PatchVendor Advisory

http://www.securityfocus.com/bid/96766

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1038008

Source: af854a3a-2127-422b-91ae-364da2661108

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0154

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.