Vulnerability Description
Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote attackers to conduct phishing attacks and possibly execute arbitrary code via a res: URI to navcancl.htm with an arbitrary URL as an argument, which displays the URL in the location bar of the "Navigation Canceled" page and injects the script into the "Refresh the page" link, aka Navigation Cancel Page Spoofing Vulnerability."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows Vista | All versions |
| Microsoft | Ie | 7.0 |
| Microsoft | Windows Xp | All versions |
Related Weaknesses (CWE)
References
- http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspVendor Advisory
- http://news.com.com/2100-1002_3-6167410.html
- http://osvdb.org/35352
- http://secunia.com/advisories/24535Vendor Advisory
- http://secunia.com/advisories/25627Vendor Advisory
- http://securityreason.com/securityalert/2448
- http://securitytracker.com/id?1018235
- http://www.securityfocus.com/archive/1/462833/100/0/threaded
- http://www.securityfocus.com/archive/1/462939/100/0/threaded
- http://www.securityfocus.com/archive/1/462945/100/0/threaded
- http://www.securityfocus.com/archive/1/471947/100/0/threaded
- http://www.securityfocus.com/bid/22966
- http://www.us-cert.gov/cas/techalerts/TA07-163A.htmlUS Government Resource
- http://www.vupen.com/english/advisories/2007/0946
- http://www.vupen.com/english/advisories/2007/2153
FAQ
What is CVE-2007-1499?
CVE-2007-1499 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote attackers to conduct phishing attacks and possibly execute arbitrary code via a res: URI to navcancl.htm with an arbitrary URL as ...
How severe is CVE-2007-1499?
CVE-2007-1499 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-1499?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows Vista, Microsoft Ie, Microsoft Windows Xp.