CVE-2009-0419

medium

Microsoft

CVSS v3 Base Score

5.0

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Score

29.8%

Exploitation probability in 30 days

Top 3% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Confidentiality

Integrity

None

Availability

None

Published: February 4, 2009 (6308 days ago)

Last Modified: April 23, 2026

Vendor: Microsoft

Source: NVD

Description

Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.

CWE

CWE-264

Affected Products

microsoft xml core services

References

🔗 bugzilla.mozilla.org 🔗 exchange.xforce.ibmcloud.com 🔗 bugzilla.mozilla.org 🔗 exchange.xforce.ibmcloud.com

CVE-2009-0419

Vulnerability Report

Description

CWE

Affected Products

References