CVE-2008-2306 - Vulnerability Details - OpenCVE

Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Safari
Microsoft	Windows Vista Windows Xp

Configuration 1 [-]

AND

OR	cpe:2.3:o:microsoft:windows_vista::::::::
	cpe:2.3:o:microsoft:windows_xp::::::::

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:a:apple:safari:3.0:::::::*
	cpe:2.3:a:apple:safari:3.0.1:::::::*
	cpe:2.3:a:apple:safari:3.0.2:::::::*
	cpe:2.3:a:apple:safari:3.0.3:::::::*
	cpe:2.3:a:apple:safari:3.0.4:::::::*
	cpe:2.3:a:apple:safari:3.1:::::::*

No data.

References

Link	Providers
http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html
http://secunia.com/advisories/30775
http://www.kb.cert.org/vuls/id/127185
http://www.securityfocus.com/bid/29835
http://www.securitytracker.com/id?1020329
http://www.vupen.com/english/advisories/2008/1882/references

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-06-23T20:00:00

Updated: 2024-08-07T08:58:01.681Z

Reserved: 2008-05-18T00:00:00

Link: CVE-2008-2306

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-06-23T20:41:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-2306

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-06-19T00:00:00", "descriptions": [{"lang": "en", "value": "Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-02-26T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "VU#127185", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/127185"}, {"name": "30775", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30775"}, {"name": "1020329", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1020329"}, {"name": "ADV-2008-1882", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1882/references"}, {"name": "29835", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/29835"}, {"name": "APPLE-SA-2008-06-19", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-2306", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#127185", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/127185"}, {"name": "30775", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30775"}, {"name": "1020329", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1020329"}, {"name": "ADV-2008-1882", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1882/references"}, {"name": "29835", "refsource": "BID", "url": "http://www.securityfocus.com/bid/29835"}, {"name": "APPLE-SA-2008-06-19", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:58:01.681Z"}, "title": "CVE Program Container", "references": [{"name": "VU#127185", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/127185"}, {"name": "30775", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30775"}, {"name": "1020329", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1020329"}, {"name": "ADV-2008-1882", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1882/references"}, {"name": "29835", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/29835"}, {"name": "APPLE-SA-2008-06-19", "tags": ["vendor-advisory", "x_refsource_APPLE", "x_transferred"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-2306", "datePublished": "2008-06-23T20:00:00", "dateReserved": "2008-05-18T00:00:00", "dateUpdated": "2024-08-07T08:58:01.681Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*", "matchCriteriaId": "3852BB02-47A1-40B3-8E32-8D8891A53114", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E61F1C9B-44AF-4B35-A7B2-948EEF7639BD", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "E618E967-379B-46AA-973E-EBBBBA44FDC7", "versionEndIncluding": "3.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "4A33F900-D405-40A8-A0A5-3C80320FF6E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "8CEB23DE-1A9D-480E-8B8B-9F110A8ABDE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "84E78F43-07BD-4D62-9512-DA738A92BC7B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "F3180366-2240-467E-8AB9-BEA0430948F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "5AB9CC52-E533-4306-9E92-73C84B264D4E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:safari:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "912A26D1-3264-464F-B101-1796B35437E2", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files."}, {"lang": "es", "value": "Apple Safari anterior a la versi\u00f3n 3.1.2 en Windows no interpreta apropiadamente la configuraci\u00f3n de zona de Internet Explorer URLACTION_SHELL_EXECUTE_HIGHRISK, que permite a los atacantes remotos omitir las restricciones de acceso previstas y forzar a un sistema cliente a descargar y ejecutar archivos arbitrarios."}], "id": "CVE-2008-2306", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-06-23T20:41:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30775"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/127185"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/29835"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id?1020329"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/1882/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://lists.apple.com/archives/security-announce/2008//Jun/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30775"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/127185"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/29835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1020329"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/1882/references"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}