1. Home
  2. CVE Database
  3. CVE-2007-4901
MEDIUM · 5.8

CVE-2007-4901

The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functi...

Vulnerability Description

The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functionality for incoming instant messages, which allows remote attackers to place HTML into unexpected contexts or execute arbitrary code, as demonstrated by writing arbitrary HTML to a notification window, and writing contents of arbitrary local image files to this window via IMG SRC.

CVSS Score

5.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:N
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
NONE

Affected Products

VendorProductVersions
AolAim LiteAll versions
AolAim ProAll versions
AolInstant Messenger6.2.32.1

References

FAQ

What is CVE-2007-4901?

CVE-2007-4901 is a vulnerability with a CVSS score of 5.8 (MEDIUM). The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functi...

How severe is CVE-2007-4901?

CVE-2007-4901 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2007-4901?

Check the references section above for vendor advisories and patch information. Affected products include: Aol Aim Lite, Aol Aim Pro, Aol Instant Messenger.