CVE-2008-2540
Description
Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a Carpet Bomb and a Blended Threat Elevation of Privilege Vulnerability, a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Risk Information
Base Score
8.8
MODERATE
Vector
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
46.403
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Cumulative Security Update for Internet Explorer 5.01 Service Pack 4 (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer 6 SP1 (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer for Windows XP (KB963027) x86 based systems | Windows |
| Cumulative Security Update for Internet Explorer for Windows XP (KB963027) x86 based systems for SP3 | Windows |
| Cumulative Security Update for Internet Explorer for Windows XP x64 Edition (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB963027) x86 based systems | Windows |
| Cumulative Security Update for Internet Explorer 7 for Windows XP (KB963027) | Windows |
| CuCumulative Security Update for Internet Explorer 7 for Windows Server 2003 (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Vista (KB963027) x86 based systems | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Vista (KB963027) x86 based systems for SP1 | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Vista x64 Edition (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Vista x64 Edition (KB963027) for SP1 | Windows |
| Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 x64 Edition (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer for Windows Server 2003 x64 Edition (KB963027) | Windows |
| Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB963027) x86 based systems for SP2 | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows 2000 (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows XP (KB959426) x86 based systems | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows XP (KB959426) x86 based systems for SP3 | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Server 2003 (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Vista (KB959426) x86 based systems | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Vista (KB959426) x86 based systems for SP1 | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Server 2008 (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows XP x64 Edition (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Server 2003 x64 Edition (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Vista for x64-based Systems (KB959426) | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Vista for x64-based Systems (KB959426) for SP1 | Windows |
| ms09-015: blended threat vulnerability in searchpath could allow elevation of privilege for Windows Server 2008 x64 Edition (KB959426) | Windows |
| Multiple Vulnerabilities are affected in Apple Safari 3.1.1 | Mac |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-7003 | Cumulative Security Update for Internet Explorer for Windows XP (KB963027) |
| PATCH-7012 | Cumulative Security Update for Internet Explorer 7 in Windows Vista (KB963027) |
| PATCH-7014 | Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 (KB963027) |
| PATCH-7016 | Cumulative Security Update for Internet Explorer 7 in Windows Server 2008 x64 Edition (KB963027) |
| PATCH-7018 | Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB963027) |
| PATCH-7026 | Security Update for Windows Server 2008 (KB959426) |
| PATCH-7031 | Security Update for Windows Server 2008 x64 Edition (KB959426) |
| PATCH-611604 | Apple Safari for MAC (MacOS Sonoma) (18.6) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234