Vulnerabilities > CVE-2004-1319
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.
Vulnerable Configurations
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS05-013.NASL |
description | The remote host is running a version of Windows which contains a flaw in the DHTML Editing Component ActiveX Control. An attacker could exploit this flaw to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to construct a malicious web page and lure a victim into visiting it. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 16329 |
published | 2005-02-08 |
reporter | This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/16329 |
title | MS05-013: Vulnerability in the DHTML Editing Component may allow code execution (891781) |
code |
|
Oval
accepted 2014-05-05T04:00:06.169-04:00 class vulnerability contributors name Jonathan Baker organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name John Hoyland organization Centennial Software name Maria Mikhno organization ALTX-SOFT
description The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. family windows id oval:org.mitre.oval:def:1114 status accepted submitted 2005-02-10T12:00:00.000-04:00 title IE AbusiveParent Vulnerability (32-bit Server 2003) version 14 accepted 2014-05-05T04:00:13.484-04:00 class vulnerability contributors name Jonathan Baker organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name John Hoyland organization Centennial Software name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. family windows id oval:org.mitre.oval:def:1701 status accepted submitted 2005-02-10T12:00:00.000-04:00 title IE AbusiveParent Vulnerability (64-bit XP) version 16 accepted 2014-05-05T04:00:25.219-04:00 class vulnerability contributors name Jonathan Baker organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. family windows id oval:org.mitre.oval:def:3464 status accepted submitted 2005-02-10T12:00:00.000-04:00 title IE AbusiveParent Vulnerability (32-bit XP) version 17 accepted 2014-05-05T04:00:25.420-04:00 class vulnerability contributors name Jonathan Baker organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name John Hoyland organization Centennial Software name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. family windows id oval:org.mitre.oval:def:3851 status accepted submitted 2005-02-10T12:00:00.000-04:00 title IE AbusiveParent Vulnerability (Windows 2000) version 16 accepted 2014-05-05T04:00:25.650-04:00 class vulnerability contributors name Jonathan Baker organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name John Hoyland organization Centennial Software name Maria Mikhno organization ALTX-SOFT
description The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. family windows id oval:org.mitre.oval:def:4758 status accepted submitted 2005-02-10T12:00:00.000-04:00 title IE AbusiveParent Vulnerability (64-bit Server 2003) version 15
References
- http://archives.neohapsis.com/archives/bugtraq/2004-12/0167.html
- http://archives.neohapsis.com/archives/bugtraq/2004-12/0167.html
- http://freehost07.websamba.com/greyhats/abusiveparent-discussion.htm
- http://freehost07.websamba.com/greyhats/abusiveparent-discussion.htm
- http://secunia.com/advisories/13482/
- http://secunia.com/advisories/13482/
- http://www.kb.cert.org/vuls/id/356600
- http://www.kb.cert.org/vuls/id/356600
- http://www.securityfocus.com/bid/11950
- http://www.securityfocus.com/bid/11950
- http://www.us-cert.gov/cas/techalerts/TA05-039A.html
- http://www.us-cert.gov/cas/techalerts/TA05-039A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-013
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-013
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18504
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18504
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1114
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1114
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1701
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1701
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3464
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3464
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3851
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3851
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4758
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4758