Description
The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."
Exploits (1)
References (15)
Core 15
Core References
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/16071
US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/326549
Exploit x_refsource_misc
http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.html
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA11-102A.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/46055
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-026
Various Sources x_refsource_confirm
http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspx
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1025003
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6956
Vendor Advisory x_refsource_confirm
http://www.microsoft.com/technet/security/advisory/2501696.mspx
Various Sources x_refsource_confirm
http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/70693
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/43093
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/65000
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0242
Scores
CVSS v3
6.1
EPSS
0.7014
EPSS Percentile
98.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2011-04-12
CWE
CWE-79
Status
published
Products (7)
microsoft/windows_2003_server
(2 CPE variants)
microsoft/windows_7
microsoft/windows_server_2003
microsoft/windows_server_2008
(6 CPE variants)
microsoft/windows_server_2008
r2 (2 CPE variants)
microsoft/windows_vista
(2 CPE variants)
microsoft/windows_xp
(2 CPE variants)
Published
Jan 31, 2011
Tracked Since
Feb 18, 2026