N/A

The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functionality for incoming instant messages, which allows remote attackers to place HTML into unexpected contexts or execute arbitrary code, as demonstrated by writing arbitrary HTML to a notification window, and writing contents of arbitrary local image files to this window via IMG SRC.

N/A

N/A

AOL Instant Messenger通知窗口远程脚本执行漏洞

AOL Instant Messenger是一款在线即时聊天工具。 AIM在处理消息窗口时存在漏洞，可能导致信息泄露及代码执行。 为了支持渲染HTML内容，AOL Instant Messaging软件客户端使用了嵌入的Internet Explorer服务器协议，但没有正确的过滤恶意输入内容，因此攻击者可以在IM消息中提供恶意的HTML内容来利用Internet Explorer的bug或安全配置弱点，导致注入并执行任意代码或伪造跨站请求。

N/A

N/A