Total
18 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2002-0057 | 1 Microsoft | 4 Internet Explorer, Sql Server, Windows Xp and 1 more | 2021-07-23 | 5.0 MEDIUM | N/A |
XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which allows remote attackers to read arbitrary files by specifying a local file as an XML Data Source. | |||||
CVE-2013-0006 | 1 Microsoft | 15 Expression Web, Groove Server, Office and 12 more | 2020-11-20 | 9.3 HIGH | N/A |
Microsoft XML Core Services (aka MSXML) 3.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML Integer Truncation Vulnerability." | |||||
CVE-2012-1889 | 1 Microsoft | 7 Office, Windows 7, Windows Server 2003 and 4 more | 2020-09-28 | 9.3 HIGH | N/A |
Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. | |||||
CVE-2013-0007 | 1 Microsoft | 15 Expression Web, Groove Server, Office and 12 more | 2020-09-28 | 9.3 HIGH | N/A |
Microsoft XML Core Services (aka MSXML) 4.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML XSLT Vulnerability." | |||||
CVE-2007-2223 | 1 Microsoft | 11 Expression Web, Office, Office Compatibility Pack and 8 more | 2019-02-27 | 9.3 HIGH | N/A |
Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringData method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow. | |||||
CVE-2006-4686 | 1 Microsoft | 2 Xml Core Services, Xml Parser | 2018-10-17 | 7.5 HIGH | N/A |
Buffer overflow in the Extensible Stylesheet Language Transformations (XSLT) processing in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted Web page. | |||||
CVE-2006-4685 | 1 Microsoft | 2 Xml Core Services, Xml Parser | 2018-10-17 | 2.6 LOW | N/A |
The XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 does not properly handle HTTP server-side redirects, which allows remote user-assisted attackers to access content from other domains. | |||||
CVE-2007-0099 | 1 Microsoft | 2 Internet Explorer, Xml Core Services | 2018-10-16 | 9.3 HIGH | N/A |
Race condition in the msxml3 module in Microsoft XML Core Services 3.0, as used in Internet Explorer 6 and other applications, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger NULL pointer dereferences or memory corruption, aka "MSXML Memory Corruption Vulnerability." | |||||
CVE-2016-0147 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 9.3 HIGH | 8.8 HIGH |
Microsoft XML Core Services 3.0 allows remote attackers to execute arbitrary code via a crafted web site, aka "MSXML 3.0 Remote Code Execution Vulnerability." | |||||
CVE-2015-2434 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 4.3 MEDIUM | N/A |
Microsoft XML Core Services 3.0 and 5.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2471. | |||||
CVE-2015-2471 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 4.3 MEDIUM | N/A |
Microsoft XML Core Services 3.0, 5.0, and 6.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2434. | |||||
CVE-2015-2440 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 4.3 MEDIUM | N/A |
Microsoft XML Core Services 3.0, 5.0, and 6.0 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "MSXML Information Disclosure Vulnerability." | |||||
CVE-2015-1646 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 4.3 MEDIUM | N/A |
Microsoft XML Core Services (aka MSXML) 3.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted DTD, aka "MSXML3 Same Origin Policy SFB Vulnerability." | |||||
CVE-2014-1816 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 4.3 MEDIUM | N/A |
Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability." | |||||
CVE-2010-2561 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 9.3 HIGH | N/A |
Microsoft XML Core Services (aka MSXML) 3.0 does not properly handle HTTP responses, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted response, aka "Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability." | |||||
CVE-2008-4033 | 1 Microsoft | 13 Expression Web, Groove, Office and 10 more | 2018-10-12 | 4.3 MEDIUM | N/A |
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability." | |||||
CVE-2006-5745 | 1 Microsoft | 1 Xml Core Services | 2018-10-12 | 7.6 HIGH | N/A |
Unspecified vulnerability in the setRequestHeader method in the XMLHTTP (XML HTTP) ActiveX Control 4.0 in Microsoft XML Core Services 4.0 on Windows, when accessed by Internet Explorer, allows remote attackers to execute arbitrary code via crafted arguments that lead to memory corruption, a different vulnerability than CVE-2006-4685. NOTE: some of these details are obtained from third party information. | |||||
CVE-2009-0419 | 1 Microsoft | 1 Xml Core Services | 2017-08-07 | 5.0 MEDIUM | N/A |
Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033. |