CVE-2008-7295

medium

Microsoft

CVSS v3 Base Score

5.8

AV:N/AC:M/Au:N/C:N/I:P/A:P

EPSS Score

17.8%

Exploitation probability in 30 days

Top 5% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Confidentiality

None

Integrity

Availability

Published: August 9, 2011 (5392 days ago)

Last Modified: April 29, 2026

Vendor: Microsoft

Source: NVD

Description

Microsoft Internet Explorer cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

CWE

CWE-264

Affected Products

microsoft internet explorer

References

🔗 code.google.com 🔗 michael-coates.blogspot.com 🔗 scarybeastsecurity.blogspot.com 🔗 scarybeastsecurity.blogspot.com 🔗 bugzilla.mozilla.org

CVE-2008-7295

Vulnerability Report

Description

CWE

Affected Products

References