Description
The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings, which allows remote attackers to execute arbitrary JavaScript code by providing crafted data during execution of (1) an XAML browser application (aka XBAP) or (2) a .NET Framework application, aka "Web Proxy Auto-Discovery Vulnerability."
References (7)
Core 7
Core References
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-318A.html
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-074
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15810
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1027753
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/56463
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/87266
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51236
Scores
EPSS
0.2475
EPSS Percentile
97.6%
Details
CWE
CWE-20
Status
published
Products (5)
microsoft/.net_framework
2.0 sp2
microsoft/.net_framework
3.5.1
microsoft/.net_framework
4.0
microsoft/.net_framework
3.5
microsoft/.net_framework
4.5
Published
Nov 14, 2012
Tracked Since
Feb 18, 2026