Microsoft Windows Vista gadgets code execution - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku

Microsoft Windows Vista gadgets code execution
Published: 15.08.2007
Source: MICROSOFT
SecurityVulns ID: 8045
Type: client
Level: 7/10
Description: Code eexcution with "Contacts" and "Weather" gadgets.

Affected: MICROSOFT : Windows Vista
CVE: CVE-2007-3891 (Unspecified vulnerability in Windows Vista Weather Gadgets in Windows Vista allows remote attackers to execute arbitrary code via crafted HTML attributes.)
CVE-2007-3033 (Cross-site scripting (XSS) vulnerability in Windows Vista Feed Headlines Gadget (aka Sidebar RSS Feeds Gadget) in Windows Vista allows user-assisted remote attackers to execute arbitrary code via an RSS feed with crafted HTML attributes, which are not properly removed and are rendered in the local zone.)
CVE-2007-3032 (Unspecified vulnerability in Windows Vista Contacts Gadget in Windows Vista allows user-assisted remote attackers to execute arbitrary code via crafted contact information that is not properly handled when it is imported.)

Original document IDEFENSE, [Full-disclosure] iDefense Security Advisory 08.14.07: Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting Vulnerability (15.08.2007)

MICROSOF, Microsoft Security Bulletin MS07-048 - Important Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123) (15.08.2007)

Discuss: Read or add your comments to this news (0 comments)