Vulnerability Details CVE-2008-3843
Request Validation (aka the ValidateRequest filters) in ASP.NET in Microsoft .NET Framework with the MS07-040 update does not properly detect dangerous client input, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a query string containing a "<~/" (less-than tilde slash) sequence followed by a crafted STYLE element.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.117
EPSS Ranking 93.4%
CVSS Severity
CVSS v2 Score 4.3
References
- http://securityreason.com/securityalert/4193
- http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
- http://www.procheckup.com/Vulnerability_PR08-20.php
- http://www.securityfocus.com/archive/1/495667/100/0/threaded
- http://www.securityfocus.com/archive/1/496071/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44743
- http://securityreason.com/securityalert/4193
- http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf
- http://www.procheckup.com/Vulnerability_PR08-20.php
- http://www.securityfocus.com/archive/1/495667/100/0/threaded
- http://www.securityfocus.com/archive/1/496071/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/44743
Products affected by CVE-2008-3843
-
cpe:2.3:a:microsoft:.net_framework:1.0
-
cpe:2.3:a:microsoft:.net_framework:1.1
-
cpe:2.3:a:microsoft:.net_framework:2.0
-
cpe:2.3:o:microsoft:windows-nt:2003
-
cpe:2.3:o:microsoft:windows-nt:2008
-
cpe:2.3:o:microsoft:windows-nt:vista
-
cpe:2.3:o:microsoft:windows-nt:xp
-
cpe:2.3:o:microsoft:windows_2000:-
-
cpe:2.3:o:microsoft:windows_vista:*
-
cpe:2.3:o:microsoft:windows_vista:-
-
cpe:2.3:o:microsoft:windows_xp:-