Vulnerabilities > Microsoft > XML Core Services
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2016-04-12 | CVE-2016-0147 | Improper Input Validation vulnerability in Microsoft XML Core Services 3.0 Microsoft XML Core Services 3.0 allows remote attackers to execute arbitrary code via a crafted web site, aka "MSXML 3.0 Remote Code Execution Vulnerability." | 9.3 |
2015-08-15 | CVE-2015-2471 | Cryptographic Issues vulnerability in Microsoft XML Core Services 3.0/5.0/6.0 Microsoft XML Core Services 3.0, 5.0, and 6.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2434. | 4.3 |
2015-08-15 | CVE-2015-2440 | Information Exposure vulnerability in Microsoft XML Core Services 3.0/5.0/6.0 Microsoft XML Core Services 3.0, 5.0, and 6.0 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "MSXML Information Disclosure Vulnerability." | 4.3 |
2015-08-15 | CVE-2015-2434 | Information Exposure vulnerability in Microsoft XML Core Services 3.0/5.0 Microsoft XML Core Services 3.0 and 5.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2471. | 4.3 |
2015-04-14 | CVE-2015-1646 | Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services 3.0 Microsoft XML Core Services (aka MSXML) 3.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted DTD, aka "MSXML3 Same Origin Policy SFB Vulnerability." | 4.3 |
2014-06-11 | CVE-2014-1816 | Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services 3.0/6.0 Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability." | 4.3 |
2010-08-11 | CVE-2010-2561 | Code Injection vulnerability in Microsoft XML Core Services 3.0 Microsoft XML Core Services (aka MSXML) 3.0 does not properly handle HTTP responses, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted response, aka "Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability." | 9.3 |
2009-02-04 | CVE-2009-0419 | Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. | 5.0 |
2008-11-12 | CVE-2008-4033 | Information Exposure vulnerability in Microsoft XML Core Services Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability." | 4.3 |
2007-08-14 | CVE-2007-2223 | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft XML Core Services Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringData method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow. | 9.3 |