Vulnerabilities > Microsoft > XML Core Services

DATE CVE VULNERABILITY TITLE RISK
2016-04-12 CVE-2016-0147 Improper Input Validation vulnerability in Microsoft XML Core Services 3.0
Microsoft XML Core Services 3.0 allows remote attackers to execute arbitrary code via a crafted web site, aka "MSXML 3.0 Remote Code Execution Vulnerability."
network
microsoft CWE-20
critical
9.3
2015-08-15 CVE-2015-2471 Cryptographic Issues vulnerability in Microsoft XML Core Services 3.0/5.0/6.0
Microsoft XML Core Services 3.0, 5.0, and 6.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2434.
network
microsoft CWE-310
4.3
2015-08-15 CVE-2015-2440 Information Exposure vulnerability in Microsoft XML Core Services 3.0/5.0/6.0
Microsoft XML Core Services 3.0, 5.0, and 6.0 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "MSXML Information Disclosure Vulnerability."
network
microsoft CWE-200
4.3
2015-08-15 CVE-2015-2434 Information Exposure vulnerability in Microsoft XML Core Services 3.0/5.0
Microsoft XML Core Services 3.0 and 5.0 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "MSXML Information Disclosure Vulnerability," a different vulnerability than CVE-2015-2471.
network
microsoft CWE-200
4.3
2015-04-14 CVE-2015-1646 Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services 3.0
Microsoft XML Core Services (aka MSXML) 3.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted DTD, aka "MSXML3 Same Origin Policy SFB Vulnerability."
network
microsoft CWE-264
4.3
2014-06-11 CVE-2014-1816 Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services 3.0/6.0
Microsoft XML Core Services (aka MSXML) 3.0 and 6.0 does not properly restrict the information transmitted by Internet Explorer during a download action, which allows remote attackers to discover (1) full pathnames on the client system and (2) local usernames embedded in these pathnames via a crafted web site, aka "MSXML Entity URI Vulnerability."
network
microsoft CWE-264
4.3
2010-08-11 CVE-2010-2561 Code Injection vulnerability in Microsoft XML Core Services 3.0
Microsoft XML Core Services (aka MSXML) 3.0 does not properly handle HTTP responses, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted response, aka "Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption Vulnerability."
network
microsoft CWE-94
critical
9.3
2009-02-04 CVE-2009-0419 Permissions, Privileges, and Access Controls vulnerability in Microsoft XML Core Services
Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.
network
low complexity
microsoft CWE-264
5.0
2008-11-12 CVE-2008-4033 Information Exposure vulnerability in Microsoft XML Core Services
Cross-domain vulnerability in Microsoft XML Core Services 3.0 through 6.0, as used in Microsoft Expression Web, Office, Internet Explorer, and other products, allows remote attackers to obtain sensitive information from another domain and corrupt the session state via HTTP request header fields, as demonstrated by the Transfer-Encoding field, aka "MSXML Header Request Vulnerability."
network
microsoft CWE-200
4.3
2007-08-14 CVE-2007-2223 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft XML Core Services
Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringData method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow.
network
microsoft CWE-119
critical
9.3