Microsoft Windows VBScript implementation file name disclosure vulnerability


The Microsoft Windows VBScript implementation contains a file name disclosure vulnerability.

When VBScript is used to load an image file in Internet Explorer, there is a vulnerability where an unauthenticated attacker may confirm the existence of a particular file.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

Microsoft Corporation
  • Microsoft Windows 2000 Service Pack 4 and earlier
  • Microsoft Windows XP sp3 SP 1 and earlier


As a step prior to using another vulnerability for an attack, an unauthenticated attacker may confirm the existence of a specific file.

[Upgrade the Software]
Upgrade Windows or apply a Service Pack according to the information provided by the developer.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#5D1D3E36
Revision History

  • [2011/06/16]
      Web page published