Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
NameMS08-056First vendor Publication2008-10-14
VendorMicrosoftLast vendor Modification2008-11-12
Severity (Vendor) ModerateRevision1.1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores


Revision Note: V1.1 (November 12, 2008): Corrected the removal information in the section, Security Update Deployment, to state that this security update cannot be uninstalled. Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS08-056.mspx

CWE : Common Weakness Enumeration

100 %CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5969
Oval ID: oval:org.mitre.oval:def:5969
Title: Vulnerability in Content-Disposition Header Vulnerability
Description: Cross-site scripting (XSS) vulnerability in Microsoft Office XP SP3 allows remote attackers to inject arbitrary web script or HTML via a document that contains a "Content-Disposition: attachment" header and is accessed through a cdo: URL, which renders the content instead of raising a File Download dialog box, aka "Vulnerability in Content-Disposition Header Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-4020
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): Microsoft Office XP
Definition Synopsis:

CPE : Common Platform Enumeration


OpenVAS Exploits

2008-10-15Name : Microsoft Office nformation Disclosure Vulnerability (957699)
File : nvt/secpod_ms08-056_900047.nasl

Open Source Vulnerability Database (OSVDB)

49052Microsoft Office CDO Protocol (cdo:) Content-Disposition: Attachment Header XSS

Information Assurance Vulnerability Management (IAVM)

2008-10-16IAVM : 2008-T-0055 - Microsoft Office Information Disclosure Vulnerability
Severity : Category II - VMSKEY : V0017779

Nessus® Vulnerability Scanner

2008-10-15Name : The remote installation of Microsoft Office is vulnerable to an information d...
File : smb_nt_ms08-056.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
2014-02-17 11:46:04
  • Multiple Updates
2013-11-11 12:41:09
  • Multiple Updates
2013-05-11 00:49:22
  • Multiple Updates