Executive Summary
Summary | |
---|---|
Title | Vulnerability in Windows Search Could Allow Information Disclosure (963093) |
Informations | |||
---|---|---|---|
Name | MS09-023 | First vendor Publication | 2009-06-09 |
Vendor | Microsoft | Last vendor Modification | 2009-06-09 |
Severity (Vendor) | Moderate | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Revision Note: Bulletin published.Summary: This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability. |
Original Source
Url : http://www.microsoft.com/technet/security/bulletin/MS09-023.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5428 | |||
Oval ID: | oval:org.mitre.oval:def:5428 | ||
Title: | Script Execution in Windows Search Vulnerability | ||
Description: | Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted file that appears in a preview in a search result, aka "Script Execution in Windows Search Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-0239 | Version: | 1 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | Windows Search 4.0 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2009-06-10 | Name : Microsoft Windows Search Script Execution Vulnerability (963093) File : nvt/secpod_ms09-023.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
54935 | Microsoft Windows MSHTML Search Preview Display Information Disclosure |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-06-11 | IAVM : 2009-T-0032 - Information Disclosure Vulnerability in Microsoft Windows Search Severity : Category II - VMSKEY : V0019397 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-06-10 | Name : A vulnerability in Windows Search may lead to information disclosure. File : smb_nt_ms09-023.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:46:14 |
|
2013-11-11 12:41:11 |
|