Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31704
HistoryFeb 11, 2015 - 12:00 a.m.

Major Internet Explorer Vulnerability - NOT Patched

2015-02-1100:00:00
vulners.com
23
JSON

Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.

Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use

  1. Close the popup window("confirm" dialog) after three seconds.
  2. Click "Go".
  3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk.

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply "nice".

Kind Regards,

JSON