1. Home
  2. CVE Database
  3. CVE-2012-4776
HIGH · 9.3

CVE-2012-4776

The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings...

Vulnerability Description

The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings, which allows remote attackers to execute arbitrary JavaScript code by providing crafted data during execution of (1) an XAML browser application (aka XBAP) or (2) a .NET Framework application, aka "Web Proxy Auto-Discovery Vulnerability."

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C
Confidentiality
COMPLETE
Integrity
COMPLETE
Availability
COMPLETE

Affected Products

VendorProductVersions
Microsoft.Net Framework2.0
MicrosoftWindows Server 2003All versions
MicrosoftWindows Server 2008All versions
MicrosoftWindows VistaAll versions
MicrosoftWindows XpAll versions
MicrosoftWindows 7All versions
MicrosoftWindows 8-
MicrosoftWindows Server 2012-

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2012-4776?

CVE-2012-4776 is a vulnerability with a CVSS score of 9.3 (HIGH). The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings...

How severe is CVE-2012-4776?

CVE-2012-4776 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-4776?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft .Net Framework, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Vista, Microsoft Windows Xp.