CVE-2008-4033

Microsoft XML Core Services 3.0-6.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-4033. PoCs published by Jerome Athias.

AI-analyzed exploit summary This exploit leverages an XML External Entity (XXE) vulnerability in Microsoft XML Core Services (MSXML) via ActiveX. It attempts to load an external DTD from a remote URL, which could lead to information disclosure or further exploitation.

Description

Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jerome Athias · htmlremotewindows

https://www.exploit-db.com/exploits/7196

View Code ZIP pw:eip

This exploit leverages an XML External Entity (XXE) vulnerability in Microsoft XML Core Services (MSXML) via ActiveX. It attempts to load an external DTD from a remote URL, which could lead to information disclosure or further exploitation.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Microsoft XML Core Services (MSXML) 3.0

No auth needed

Prerequisites: Victim must open the HTML file in a browser with ActiveX enabled · Msxml2.DOMDocument.3.0 must be available

MITRE ATT&CK