CVE-2011-2383

Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

Published: Jun 3, 2011
Updated: Apr 13, 2023
CVE: CVE-2011-2383
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
microsoft / internet_explorer	8	8.x
microsoft / internet_explorer	5	5.x
microsoft / ie	9-beta	9-beta.x
microsoft / internet_explorer	7	7.x
microsoft / internet_explorer	6	6.x
microsoft / internet_explorer	3.0	3.0.x
microsoft / internet_explorer	4.0	4.0.x
microsoft / internet_explorer	-	9.x

Vulnerability Database

289,599

CVE-2011-2383