CVE-2016-3298
CVE-2016-3298
In short
Internet Explorer versions 9-11 have a flaw that lets attackers on a malicious website check if specific files exist on your computer without your knowledge, potentially exposing sensitive information about what's installed or stored on your system.
Technical detail
A remote attacker can craft a malicious website that leverages improper file existence validation in Internet Explorer 9-11 and the Internet Messaging API to determine whether arbitrary files exist on a victim's system. The attack requires user interaction (visiting a crafted website) and relies on observable differences in how the browser handles file access attempts, enabling information disclosure about the target system's file structure.
Summary generated and translated by AI from the official description.
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-118https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-126https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3298http://www.securityfocus.com/bid/93392http://www.securitytracker.com/id/1036992