Vulnerability Details CVE-2009-0419
Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.27
EPSS Ranking 96.1%
CVSS Severity
CVSS v2 Score 5.0
References
Products affected by CVE-2009-0419
-
cpe:2.3:a:microsoft:xml_core_services:-
-
cpe:2.3:a:microsoft:xml_core_services:1.0
-
cpe:2.3:a:microsoft:xml_core_services:2.0
-
cpe:2.3:a:microsoft:xml_core_services:2.5
-
cpe:2.3:a:microsoft:xml_core_services:2.6
-
cpe:2.3:a:microsoft:xml_core_services:3.0
-
cpe:2.3:a:microsoft:xml_core_services:4.0
-
cpe:2.3:a:microsoft:xml_core_services:5.0
-
cpe:2.3:a:microsoft:xml_core_services:6.0