CVE-2015-0072

EXPLOITED

Microsoft Internet Explorer - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."

Exploits (2)

nomisec WORKING POC 7 stars

by dbellavista · client-side

https://github.com/dbellavista/uxss-poc

View Code ZIP pw:eip

metasploit WORKING POC

by David Leo, filedescriptor, joev, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ie_uxss_injection.rb

View Code ZIP pw:eip

References (12)

[Various Sources] http://community.websense.com/blogs/securitylabs/archive/2015/02/05/another-day-another-zero-day-internet-explorer-s-turn-cve-2015-0072.aspx

[Exploit] http://innerht.ml/blog/ie-uxss.html

[Exploit] http://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.html

[Mailing List] http://seclists.org/fulldisclosure/2015/Feb/0

[Various Sources] http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1031888

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/100606

[Various Sources] https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534662/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/72489

[Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018

[Third Party Advisory] http://secunia.com/advisories/62658

Scores

EPSS 0.8855

EPSS Percentile 99.5%

Details

VulnCheck KEV 2015-03-10

CWE

CWE-79

Status published

Products (3)

microsoft/internet_explorer 9

microsoft/internet_explorer 10

microsoft/internet_explorer 11

Published Feb 07, 2015

Tracked Since Feb 18, 2026