U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:microsoft:xml_core_services:2.6:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 2 matching records.
Displaying matches 1 through 2.
Vuln ID Summary CVSS Severity

Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.

Published: February 04, 2009; 2:30:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM

XMLHTTP control in Microsoft XML Core Services 2.6 and later does not properly handle IE Security Zone settings, which allows remote attackers to read arbitrary files by specifying a local file as an XML Data Source.

Published: March 08, 2002; 12:00:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM