[Japanese]

JVNDB-2011-000036

Microsoft Windows VBScript implementation file name disclosure vulnerability

Overview

The Microsoft Windows VBScript implementation contains a file name disclosure vulnerability.

When VBScript is used to load an image file in Internet Explorer, there is a vulnerability where an unauthenticated attacker may confirm the existence of a particular file.
CVSS Severity (What is CVSS?)

Base Metrics: 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


Microsoft Corporation
  • Microsoft Windows 2000 Service Pack 4 and earlier
  • Microsoft Windows XP SP 1 and earlier

Impact

As a step prior to using another vulnerability for an attack, an unauthenticated attacker may confirm the existence of a specific file.
Solution

[Upgrade the Software]
Upgrade Windows or apply a Service Pack according to the information provided by the developer.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#5D1D3E36
Revision History

[2011/06/16]
  Web page published