CVE-2012-4776

critical

Description

The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings, which allows remote attackers to execute arbitrary JavaScript code by providing crafted data during execution of (1) an XAML browser application (aka XBAP) or (2) a .NET Framework application, aka "Web Proxy Auto-Discovery Vulnerability."

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15810

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-074

http://www.us-cert.gov/cas/techalerts/TA12-318A.html

http://www.securitytracker.com/id?1027753

http://www.securityfocus.com/bid/56463

http://secunia.com/advisories/51236

http://osvdb.org/87266

Details

Source: Mitre, NVD

Published: 2012-11-14

Updated: 2023-12-07

Risk Information

CVSS v2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical