Details of VAR-201601-0503

ID

VAR-201601-0503

CVE

CVE-2016-0002

TITLE

Microsoft Internet Explorer 8 From 11 Used in products such as VBScript and JScript Vulnerability to execute arbitrary code in the engine

Trust: 0.8

sources: JVNDB: JVNDB-2016-001010

DESCRIPTION

The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 engines, as used in Internet Explorer 8 through 11 and other products, allow remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability.". An attacker could use this vulnerability to read e-mail messages. The Samsung SM-G920F (Galaxy S6) is a Samsung smartphone from South Korea. SecEmailSync is one of the mail sync plugins. A SQL injection vulnerability exists in the SecEmailSync plugin in the SamsungSM-G920FbuildG920FXXU2COH2 release. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands. Samsung SecEmailSync is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Microsoft VBScript is prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Failed attacks will cause denial of service conditions. Microsoft Internet Explorer (IE) is a web browser developed by Microsoft Corporation in the United States, and it is the default browser included with the Windows operating system. Microsoft VBScript (full name Visual Basic Script) is a scripting language and the default programming language for ASP dynamic web pages. JScript is an interpreted object-based scripting language

Trust: 3.78

sources: NVD: CVE-2016-0002 // JVNDB: JVNDB-2016-001010 // CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190 // BID: 97654 // BID: 79894 // BID: 97658 // VULHUB: VHN-91384 // VULHUB: VHN-91385 // VULHUB: VHN-87512

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 1.2

sources: CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190

AFFECTED PRODUCTS

vendor:	microsoft	model:	vbscript	scope:	eq	version:	5.8	Trust: 1.9
vendor:	microsoft	model:	vbscript	scope:	eq	version:	5.7	Trust: 1.9
vendor:	microsoft	model:	jscript	scope:	eq	version:	5.7	Trust: 1.9
vendor:	microsoft	model:	jscript	scope:	eq	version:	5.8	Trust: 1.6
vendor:	samsung	model:	galaxy s6 g920fxxu2coh2	scope:	-	version:	-	Trust: 1.2
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	9	Trust: 1.1
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	8	Trust: 1.1
vendor:	microsoft	model:	jscript	scope:	eq	version:	5.7 (internet explorer 7)	Trust: 0.8
vendor:	microsoft	model:	jscript	scope:	eq	version:	5.8 (internet explorer 8)	Trust: 0.8
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	10	Trust: 0.8
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	11	Trust: 0.8
vendor:	microsoft	model:	internet explorer	scope:	eq	version:	11 (windows 10)	Trust: 0.8
vendor:	microsoft	model:	vbscript	scope:	eq	version:	5.7 (internet explorer 7)	Trust: 0.8
vendor:	microsoft	model:	vbscript	scope:	eq	version:	5.8 (internet explorer 8)	Trust: 0.8
vendor:	samsung	model:	secemailsync sm-g920f build g920f	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190 // BID: 97654 // BID: 79894 // BID: 97658 // JVNDB: JVNDB-2016-001010 // CNNVD: CNNVD-201601-204 // NVD: CVE-2016-0002

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-0002
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-0002
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-07204
value:	LOW
Trust: 0.6
CNVD:	CNVD-2017-07190
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201601-204
value:	HIGH
Trust: 0.6
VULHUB:	VHN-91384
value:	LOW
Trust: 0.1
VULHUB:	VHN-91385
value:	HIGH
Trust: 0.1
VULHUB:	VHN-87512
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-0002
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-07204
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2017-07190
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-91384
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1
VULHUB:	VHN-91385
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1
VULHUB:	VHN-87512
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-0002
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	5.9
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190 // VULHUB: VHN-91384 // VULHUB: VHN-91385 // VULHUB: VHN-87512 // JVNDB: JVNDB-2016-001010 // CNNVD: CNNVD-201601-204 // NVD: CVE-2016-0002

PROBLEMTYPE DATA

problemtype:	CWE-119	Trust: 1.9
problemtype:	CWE-200	Trust: 0.1
problemtype:	CWE-89	Trust: 0.1

sources: VULHUB: VHN-91384 // VULHUB: VHN-91385 // VULHUB: VHN-87512 // JVNDB: JVNDB-2016-001010 // NVD: CVE-2016-0002

THREAT TYPE

network

Trust: 0.9

sources: BID: 97654 // BID: 79894 // BID: 97658

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201601-204

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001010

PATCH

title:	MS16-003	url:	https://technet.microsoft.com/en-us/library/security/ms16-003.aspx	Trust: 0.8
title:	MS16-001	url:	https://technet.microsoft.com/en-us/library/security/ms16-001.aspx	Trust: 0.8
title:	MS16-003	url:	https://technet.microsoft.com/ja-jp/library/security/ms16-003.aspx	Trust: 0.8
title:	MS16-001	url:	https://technet.microsoft.com/ja-jp/library/security/ms16-001.aspx	Trust: 0.8
title:	SamsungSM-G920F Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/94085	Trust: 0.6
title:	SamsungSM-G920FSecEmailSyncSQL injection vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/94086	Trust: 0.6
title:	Microsoft VBScript and JScript Fixing actions for the script engine memory corruption vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59554	Trust: 0.6

sources: CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190 // JVNDB: JVNDB-2016-001010 // CNNVD: CNNVD-201601-204

EXTERNAL IDS

db:	NVD	id:	CVE-2016-0002	Trust: 4.8
db:	SECTRACK	id:	1034648	Trust: 1.1
db:	SECTRACK	id:	1034650	Trust: 1.1
db:	BID	id:	97658	Trust: 1.0
db:	BID	id:	97654	Trust: 1.0
db:	JVNDB	id:	JVNDB-2016-001010	Trust: 0.8
db:	CNNVD	id:	CNNVD-201601-204	Trust: 0.7
db:	CNVD	id:	CNVD-2017-07204	Trust: 0.6
db:	CNVD	id:	CNVD-2017-07190	Trust: 0.6
db:	BID	id:	79894	Trust: 0.4
db:	CNNVD	id:	CNNVD-201704-753	Trust: 0.1
db:	VULHUB	id:	VHN-91384	Trust: 0.1
db:	VULHUB	id:	VHN-91385	Trust: 0.1
db:	VULHUB	id:	VHN-87512	Trust: 0.1

sources: CNVD: CNVD-2017-07204 // CNVD: CNVD-2017-07190 // VULHUB: VHN-91384 // VULHUB: VHN-91385 // VULHUB: VHN-87512 // BID: 97654 // BID: 79894 // BID: 97658 // JVNDB: JVNDB-2016-001010 // CNNVD: CNNVD-201601-204 // NVD: CVE-2016-0002

REFERENCES

url:	https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0002	Trust: 2.0
url:	https://www.verisign.com/en_us/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1215	Trust: 1.1
url:	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-001	Trust: 1.1
url:	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-003	Trust: 1.1
url:	http://www.securitytracker.com/id/1034648	Trust: 1.1
url:	http://www.securitytracker.com/id/1034650	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0002	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20160113-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2016/at160004.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0002	Trust: 0.8
url:	http://www.npa.go.jp/cyberpolice/topics/?seq=17573	Trust: 0.8
url:	http://www.samsung.com/	Trust: 0.6
url:	http://technet.microsoft.com/security/bulletin/ms16-003	Trust: 0.6
url:	http://technet.microsoft.com/security/bulletin/ms16-001	Trust: 0.6
url:	http://www.microsoft.com	Trust: 0.3
url:	http://www.microsoft.com/ie/	Trust: 0.3
url:	https://technet.microsoft.com/library/security/ms16-001	Trust: 0.3
url:	https://technet.microsoft.com/library/security/ms16-003	Trust: 0.3
url:	http://www.securityfocus.com/bid/97658	Trust: 0.1
url:	http://www.securityfocus.com/bid/97654	Trust: 0.1

CREDITS

Roberto Paleari (@rpaleari) and Aristide Fattori (@joystick).

Trust: 0.6

sources: BID: 97654 // BID: 97658

SOURCES

db:	CNVD	id:	CNVD-2017-07204
db:	CNVD	id:	CNVD-2017-07190
db:	VULHUB	id:	VHN-91384
db:	VULHUB	id:	VHN-91385
db:	VULHUB	id:	VHN-87512
db:	BID	id:	97654
db:	BID	id:	79894
db:	BID	id:	97658
db:	JVNDB	id:	JVNDB-2016-001010
db:	CNNVD	id:	CNNVD-201601-204
db:	NVD	id:	CVE-2016-0002

LAST UPDATE DATE

2024-11-23T22:13:20.659000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-07204	date:	2017-05-23T00:00:00
db:	CNVD	id:	CNVD-2017-07190	date:	2017-05-22T00:00:00
db:	VULHUB	id:	VHN-91384	date:	2017-04-22T00:00:00
db:	VULHUB	id:	VHN-91385	date:	2017-04-21T00:00:00
db:	VULHUB	id:	VHN-87512	date:	2018-10-12T00:00:00
db:	BID	id:	97654	date:	2017-04-18T01:05:00
db:	BID	id:	79894	date:	2016-07-06T13:44:00
db:	BID	id:	97658	date:	2017-04-18T01:05:00
db:	JVNDB	id:	JVNDB-2016-001010	date:	2016-03-15T00:00:00
db:	CNNVD	id:	CNNVD-201601-204	date:	2016-01-14T00:00:00
db:	NVD	id:	CVE-2016-0002	date:	2024-11-21T02:40:54.770

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-07204	date:	2017-05-23T00:00:00
db:	CNVD	id:	CNVD-2017-07190	date:	2017-05-22T00:00:00
db:	VULHUB	id:	VHN-91384	date:	2017-04-13T00:00:00
db:	VULHUB	id:	VHN-91385	date:	2017-04-13T00:00:00
db:	VULHUB	id:	VHN-87512	date:	2016-01-13T00:00:00
db:	BID	id:	97654	date:	2017-04-13T00:00:00
db:	BID	id:	79894	date:	2016-01-12T00:00:00
db:	BID	id:	97658	date:	2017-04-13T00:00:00
db:	JVNDB	id:	JVNDB-2016-001010	date:	2016-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201601-204	date:	2016-01-14T00:00:00
db:	NVD	id:	CVE-2016-0002	date:	2016-01-13T05:59:01.433