CVE-2001-0154 - Vulnerability Details - OpenCVE

Description

HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.

Published: 2001-05-07

Score: 7.5 High

EPSS: 16.8% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:internet_explorer::::::::
	cpe:2.3:a:microsoft:internet_explorer:5.01:::::::*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.16798.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://marc.info/?l=bugtraq&m=98596775905044&w=2
http://securitytracker.com/id?1001197
http://www.cert.org/advisories/CA-2001-06.html
http://www.ciac.org/ciac/bulletins/l-066.shtml
http://www.osvdb.org/7806
http://www.securityfocus.com/bid/2524
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020
https://exchange.xforce.ibmcloud.com/vulnerabilities/6306
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141

History

No history.

Subscriptions

Microsoft Internet Explorer

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2001-05-07T04:00:00.000Z

Updated: 2024-08-08T04:06:55.428Z

Reserved: 2001-02-10T00:00:00.000Z

Link: CVE-2001-0154

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2001-05-03T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2001-0154

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2001-03-29T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2004-09-02T09:00:00.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "CA-2001-06", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.cert.org/advisories/CA-2001-06.html"}, {"name": "MS01-020", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"}, {"name": "2524", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/2524"}, {"name": "1001197", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1001197"}, {"name": "ie-mime-execute-code(6306)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"}, {"name": "L-066", "tags": ["third-party-advisory", "government-resource", "x_refsource_CIAC"], "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"}, {"name": "oval:org.mitre.oval:def:141", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"}, {"name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=98596775905044&w=2"}, {"name": "7806", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/7806"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2001-0154", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "CA-2001-06", "refsource": "CERT", "url": "http://www.cert.org/advisories/CA-2001-06.html"}, {"name": "MS01-020", "refsource": "MS", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"}, {"name": "2524", "refsource": "BID", "url": "http://www.securityfocus.com/bid/2524"}, {"name": "1001197", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1001197"}, {"name": "ie-mime-execute-code(6306)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"}, {"name": "L-066", "refsource": "CIAC", "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"}, {"name": "oval:org.mitre.oval:def:141", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"}, {"name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=98596775905044&w=2"}, {"name": "7806", "refsource": "OSVDB", "url": "http://www.osvdb.org/7806"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T04:06:55.428Z"}, "title": "CVE Program Container", "references": [{"name": "CA-2001-06", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.cert.org/advisories/CA-2001-06.html"}, {"name": "MS01-020", "tags": ["vendor-advisory", "x_refsource_MS", "x_transferred"], "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"}, {"name": "2524", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/2524"}, {"name": "1001197", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1001197"}, {"name": "ie-mime-execute-code(6306)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"}, {"name": "L-066", "tags": ["third-party-advisory", "government-resource", "x_refsource_CIAC", "x_transferred"], "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"}, {"name": "oval:org.mitre.oval:def:141", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"}, {"name": "20010330 Incorrect MIME Header Can Cause IE to Execute E-mail Attachment", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=98596775905044&w=2"}, {"name": "7806", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/7806"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2001-0154", "datePublished": "2001-05-07T04:00:00.000Z", "dateReserved": "2001-02-10T00:00:00.000Z", "dateUpdated": "2024-08-08T04:06:55.428Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BDFCFCB-6E90-4F29-9852-A3099DF05843", "versionEndIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:5.01:*:*:*:*:*:*:*", "matchCriteriaId": "6219D36E-9E2C-4DC7-8FD5-FAD144A333F6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly."}, {"lang": "es", "value": "Funcionalidad HTML en Internet Explorer 5.5 y anteriores, que permite al atacante la ejecuci\u00f3n de un archivo adjunto. Se consigue gracias al env\u00edo de cabeceras MIME inv\u00e1lidas para el adjunto que le permiten disfrazarse como un tipo de archivo no ejecutable. \r\n\r\nEl correo electr\u00f3nico v\u00eda HTML se representa en p\u00e1ginas web que el explorador es capaz de interpretar. Cuando el correo contiene ficheros adjuntos el Explorador tambi\u00e9n es capaz de abrir la aplicaci\u00f3n asociada a los ficheros binarios adjuntos cuyo tipo (extensi\u00f3n de archivo) est\u00e1 definido en las cabeceras MIME. \r\n\r\nSin embargo, existe un defecto en el tipo de tratamiento que es especificado para ciertos tipos MIME sin identificar. Si un atacante crea un correo HTML conteniendo un fichero adjunto ejecutable y le sustituye la informaci\u00f3n de cabecera MIME por otra, que contiene un tipo de archivo MIME reconocido, provocar\u00eda la ejecuci\u00f3n autom\u00e1tica del adjunto.\r\n\r\nUn atacante podr\u00eda usar esta vulnerabilidad en cualquiera de estos dos escenarios.\r\n\r\nEl atacante pod\u00edra generar un correo electr\u00f3nico HTML infectado sobre un sitio web \u00fd despues intentar convencer a otro usuario para que los visite. El fichero adjunto ser\u00eda ejecutado autom\u00e1ticamente simplemente por visualizar la p\u00e1gina que muestra la lista de mensajes.\r\n\r\nEn el otro supuesto, el atacante conseguir\u00eda su objetivo envi\u00e1ndo directamente el correo HTML a la direcci\u00f3n del ususario que desea infectar.\r\n\r\nEn ambos supuestos la ejecuci\u00f3n del adjunto est\u00e1 limitada a los privilegios de sistema que tenga establecidos el ususario."}], "id": "CVE-2001-0154", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2001-05-03T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=98596775905044&w=2"}, {"source": "cve@mitre.org", "url": "http://securitytracker.com/id?1001197"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.cert.org/advisories/CA-2001-06.html"}, {"source": "cve@mitre.org", "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/7806"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/2524"}, {"source": "cve@mitre.org", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=98596775905044&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://securitytracker.com/id?1001197"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.cert.org/advisories/CA-2001-06.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ciac.org/ciac/bulletins/l-066.shtml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/7806"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/2524"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}